Chat now with support
Chat with Support

Welcome, erwin customers to Quest Support Portal click here for for frequently asked questions regarding servicing your supported assets.

InTrust 11.3 - Integration into SIEM Solutions Through Event Forwarding

Syslog Forwarding Overview

Integration into SIEM Solutions Through Syslog Forwarding

Events that arrive in a repository can be passed on to SIEM systems that know how to receive, store and index them for analysis. This is known as audit data forwarding and is configured on a per-repository basis.

Turning Forwarding On and Off

Forwarding has a dedicated group of settings in the properties of a repository. Use the Enable forwarding option to turn it on and off for the repository you are working with.

For details about repository options, see Managing Repositories.

Caution: Do not forward events to an InTrust server that listens for Syslog messages, because the messages will arrive with incorrect timestamps.

The following options control how forwarding is performed:

  • Destination host
    The host that listens for forwarded messages.
  • Port
    The port that the destination host uses for listening.
  • Message encoding
    By default, Western European is used.
  • Message filtering
    If you need only a subset of the repository data, you can specify one of the available filters. These filters are really Repository Viewer search folders. If you want to add or modify a filter, open Repository Viewer and make your changes. Your filter will be available the next time you configure forwarding. For details about working with search folders, see Searching for Events in Repository Viewer. Using search folders as filters has some important implications; see Filtering Specifics below for details.
  • Message format
    The format in which data is expected on the receiving end; see Data Conversion Formats for details. This setting has no effect on data that arrives from Syslog devices; such data is forwarded unchanged. Only collected Windows event log data is converted to the specified format.

Filtering Specifics

  • Repository Viewer search folders support grouping and sorting, but these settings have no meaning for message forwarding and will be ignored.
  • If you edit a search folder that is already used as a filter, your changes will affect the filtering. Consider making dedicated search folders for filtering purposes.
  • If a filtering search folder is deleted, filtering is turned off for the repository that used it.
  • If you use predefined search folders as a filters, note that changes made to them in Repository Viewer are not applied.
  • Be careful when specifying the time range for the search folders that will be used as filters. If you set the wrong type of range, this can effectively turn off message forwarding. For example, if you set a time range based on the “Last” keyword, no matches will ever occur. You should not specify a time range for a filtering search folder.

Data Conversion Formats

SIEM appliances expect data in a specific format. For forwarding to be useful, InTrust must convert the contents of the repository to that format before passing them on.

The following output formats are supported:

You can add support for other formats by providing custom format definition scripts.

To specify a different format, select the Custom Format item in the Message format drop-down list, click Edit, and use the editor that opens.

Note the following specifics:

  1. Your custom formatting code must implement the Transform() function. This function will be used as the entry point by the event forwarding engine. It takes an event object and its sequential number as arguments, and it returns a string.
  2. The custom message format will be applied only to the repository you are working with, and will not be replicated to other repositories.
  3. Switching from the custom format to the predefined format resets the custom format script to its default state. Back up your custom format script in a file.

For more details about formatting custom messages, study the default formatting script provided in the built-in editor. This is a valid script that replicates the functionality of the predefined SecureWorks forwarding component in InTrust. To change the message format, either edit the Format variable or write your own custom script using this default script as an example. In the Format string, event field names enclosed in percent signs (%) will be replaced by their values.

For details about event objects and the InTrust object model in general, see Customization Kit.

Basic Event Forwarding Scenario

This scenario applies if both of the following are true for the repository that you want to forward events from:

  1. The InTrust server that manages the repository has at least 8 CPU cores.
  2. The rate of incoming events is no more than 2,000 per second.

Note: If you use custom script-based format conversion, the rate of outgoing events will be considerably lower than with the predefined format.

In this case, all you need to do is enable event forwarding for your existing repository, as described in the Turning Forwarding On and Off topic.

InTrust logs its event forwarding activities and gives you errors if the forwarding queue overflows. If this happens, the event rate is too high, and there will be gaps in the continuity of forwarded events. In that case, you should use the recommendations from the Advanced Event Forwarding Scenario topic.

Note: The retention threshold for the event forwarding queue is 48 hours by default. Events that are older than the threshold value are dropped from the queue and cannot be forwarded.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating