-
Title
As a CA Admin, I would like to see Internal Change Auditor events generated when a coordinator is unable to send events to a SIEM subscription. -
Description
Request resiliency so when the SIEM event subscription didn't move over to another coordinator, either with a notification that it couldn't communicate to the SIEM host, or try another Coordinator until it finds one that could. Create an Enhancement Request to try another Coordinator if it cannot connect to the subscription, or at least a notification after an amount of time, or have it failover to another Coordinator.
-
Resolution
This was logged as an enhancement request number 347467, which was implemented since version 7.4:
If a coordinator detects that the event being sent to a SIEM subscription has been consistently failing for a specified time, it will try another coordinator that has been specified as an allowed coordinator to send events to a SIEM tool. If the second coordinator successfully sends events to the SIEM subscription, it will continue performing the task.
The following internal events help to keep you informed of any issues (which means that you can create a search with an alert enabled):
• The Event forwarding suspended due to webhook error internal event alerts you to a SIEM connection issue.
• The Event forwarding has resumed internal event indicates that the connection has been restored.By default, the failover time period for the coordinator is set to 30 minutes.
-
Defect ID
347467 -
Additional Information
Refer to the topic called "Subscription failover support" of the SIEM integration User Guide: https://support.quest.com/technical-documents/change-auditor/siem-integration-user-guide