How does one setup log forwarding from InTrust Repositories to a SIEM solution.
原因
Events that arrive in a repository can be passed on to SIEM systems that know how to receive, store and index them for analysis. This is known as audit data forwarding and is configured on a per-repository basis.
対策
Forwarding is set up in the InTrust Deployment Manager:
Open the Deployment Manager and right click on the collection that you wish to forward to a SIEM solution.
Select Edit Collection
Click Next until you reach the Data Sources and Repository page.
Click the browse button to the right of the Selected Repository.
Select the Repository and click the Edit button.
If using a shared repository for all collections you will be presented with a Warning: 'There are other collections (listed below) that use the 'selected repository name' repository. Further changes will apply to all these collections. Continue anyway? Click yes if you want the change to apply to all collections.
If using a dedicated repository for the one collection proceed to the Forwarding tab.
Enable the Forwarding and provide the following details:
The following options control how forwarding is performed:
Destination host—The host that listens for forwarded messages
Port—The port that the destination host uses for listening
Message encoding—by default, Western European is used
Message format—The format in which data is expected on the receiving end; see Data Conversion Formats 'InTrust 10.7 ChangeAuditor Integration Guide for details.