SIEM Configurations
Kron PAM can send the logs selected in the SIEM configuration page to the Syslog listener. You manage the server information and packet content with parameters in the System Config. Man. screen. You can manage the server that the packets are to be sent to with the parameters listed in Table 1.
To configure SIEM integration:
- Navigate to Administration > System Config Management.
- Set the following parameters and Save.
Parameter | Default value | Possible Values | Defined Values to Generate Log Samples |
---|---|---|---|
syslog.server.hostName | n/a | | 10.10.10.10 |
syslog.server.port | 514 | | 514 |
syslog.message.rfcFormat | RFC_5424 | RFC_5424, RFC_3164 | RFC_5424 |
syslog.connection.protocol | UDP | TCP, UDP | UDP |
syslog.message.content.format | KEY_VALUE | KEY_VALUE, CEF | CEF |
- Establish an SSH connection to the Kron PAM server and restart netright-tomcat with the following command: [root@sc~]# systemctl restart netright-tomcat
In the SIEM Configuration screen, you can set the log type and the record limit of a Syslog packet. When the configurations are saved, the SIEM module forwards the created Syslog packets to the Syslog server.
To set up log configurations:
- Navigate to SIEM > SIEM Configuration.
- Select the Log Type and the Maximum Record Limit (see Table 2).
- Click Save.
Log Type | Description |
---|---|
AuthLog | This log file contains authentication logs of the Kron PAM users. When users log in or log out of the system, an authentication log is sent to the SIEM server. |
CommandLog_All | This log file contains all commands, file transfers, key logs, and OCR data obtained during sessions. |
CommandLog_Command | This log file contains commands executed during a session. |
CommandLog_FileTransfer | This log file keeps the information of files transferred during an RDP session. |
CommandLog_KeyLog | This log file keeps the key log, which contains mouse clicks and keyboard inputs during an RDP session. |
CommandLog_Ocr | This log file contains the OCR data generated during an RDP session. |
EventLog | This log file contains user events in the WebGUI session. When users add, edit, or delete an item (user, device, realm, parameter, etc.), these operations are logged and sent to the SIEM server. |
Sapm_New_User | This log file contains the new users’ info as in the SAPM new users’ log page. |
SessionLog | This log file contains the session info like the target IP address, start/end time, etc. |
You can start/stop the log recording manually.
To enable/disable SIEM logs:
- Navigate to SIEM Configuration.
- Click the Options drop-down menu button from the Log Configuration.
- Click Disable Configuration or Enable Configuration.
To see the SIEM logs sent by Kron PAM:
- Navigate to SIEM > SIEM Configuration.
- Open the Monitoring tab.
- Fill in the fields to filter and click Search.