Chat now with support
Chat with Support

The Quest and One Identity Support Portals will be unavailable on Friday July 10, 2020 from 5:30 PM to 6:30 PM for website maintenance.

InTrust 11.3.2 - Integration into SIEM Solutions Through Event Forwarding

Integration into SIEM Solutions Through Syslog Forwarding

Integration into SIEM Solutions Through Syslog Forwarding

Events that arrive in a repository can be passed on to SIEM systems that know how to receive, store and index them for analysis. This is known as audit data forwarding and is configured on a per-repository basis.

Turning Forwarding On and Off

Forwarding has a dedicated group of settings in the properties of a repository. Use the Enable forwarding option to turn it on and off for the repository you are working with.

From the moment you turn forwarding on, events that arrive in the repository during real-time collection will be forwarded. Events that were already in the repository will be ignored.

NOTE: Forwarding does not work for events that are gathered to repositories by InTrust gathering jobs as part of the workflow described in the Auditing Guide.

For details about repository options, see Managing Repositories.

Caution: Do not forward events to an InTrust server that listens for Syslog messages, because the messages will arrive with incorrect timestamps.

The following options control how forwarding is performed:

  • Destination host
    The host that listens for forwarded messages.
  • Port
    The port that the destination host uses for listening.
  • Message encoding
    By default, Western European is used.
  • Message filtering
    If you need only a subset of the repository data, you can specify one of the available filters. These filters are really Repository Viewer searches. If you want to add or modify a filter, open Repository Viewer and make your changes. Your filter will be available the next time you configure forwarding. For details about working with searches, see Searching for Events in Repository Viewer. Using searches as filters has some important implications; see Filtering Specifics below for details.
  • Message format
    The format in which data is expected on the receiving end; see Data Conversion Formats for details. This setting has no effect on data that arrives from Syslog devices; such data is forwarded unchanged. Only collected Windows event log data is converted to the specified format.

Filtering Specifics

  • Repository Viewer searches support grouping and sorting, but these settings have no meaning for message forwarding and will be ignored.
  • If you edit a search that is already used as a filter, your changes will affect the filtering. Consider making dedicated searches for filtering purposes.
  • If a filtering search is deleted, filtering is turned off for the repository that used it.
  • If you use predefined searches as a filters, note that changes made to them in Repository Viewer are not applied.
  • Be careful when specifying the time range for the searches that will be used as filters. If you set the wrong type of range, this can effectively turn off message forwarding. For example, if you set a time range based on the “Last” keyword, no matches will ever occur. You should not specify a time range for a filtering search.

Data Conversion Formats

SIEM appliances expect data in a specific format. For forwarding to be useful, InTrust must convert the contents of the repository to that format before passing them on.

The following output formats are supported:

You can add support for other formats by providing custom format definition scripts.

To specify a different format, select the Custom Format item in the Message format drop-down list, click Edit, and use the editor that opens.

Note the following specifics:

  1. Your custom formatting code must implement the Transform() function. This function will be used as the entry point by the event forwarding engine. It takes an event object and its sequential number as arguments, and it returns a string.
  2. The custom message format will be applied only to the repository you are working with, and will not be replicated to other repositories.
  3. Switching from the custom format to the predefined format resets the custom format script to its default state. Back up your custom format script in a file.

For more details about formatting custom messages, study the default formatting script provided in the built-in editor. This is a valid script that replicates the functionality of the predefined SecureWorks forwarding component in InTrust. To change the message format, either edit the Format variable or write your own custom script using this default script as an example. In the Format string, event field names enclosed in percent signs (%) will be replaced by their values.

For details about event objects and the InTrust object model in general, see Customization Kit.

Recommended Event Forwarding Scenario

For best results, consider using a dedicated repository for event forwarding. You can create the repository in advance in the Storage view of InTrust Deployment Manager. Alternatively, you can select to create a new repository when you create your new forwarding-oriented collection in the Collections view.

To make sure your repository doesn't waste disk space, set up daily cleanup for it. Cleanup is configured in the repository properties in the Storage view.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents