SIEM Connector Instructions

Owned by Phil Rodrigues
Last updated: Jul 09, 2023
3 min read

Getting Started with SIEM Logger

The SIEM Logger product provides the ability to export PreVeil user activity logs to a variety of external log collection systems, including so-called Security Information and Event Management systems. It can export the data in industry standard syslog format or convert to another format supported by NXLog.

The product is provided as self-contained image, either for a Docker container or a full virtual machine (e.g., VMWare). In either case, the components are as follows:

 

In white are the third-party components: we use supervisord for process management, and NXLog to convert the logs from syslog format and route them to an external destination. In green are the standard PreVeil components for managing keys and reading activity log data, which are also part of our desktop client software. And in purple is the SIEM Logger application, which manages the control flow.

The SIEM Logger works using our data export mechanism. It holds the keys an admin user who can perform data export, plus members of the organizations data export approval group. With these it can automatically initiate a data export and then vote to approve it. And then with data export access, it can read any of the organization’s activity logs.

Setting Up a Virtual Machine

The VM images we provide are based on Ubuntu Linux version 20.04, their latest release with long-term support. We are currently using VMWare’s OVF format for the image but may provide it in additional formats in the future. It is important to distinguish between the software itself and any user configuration or state data.

Data File or Directory

Purpose

/var/preveil

User data for the standard PreVeil components

/siem-logger/etc

State of the SIEM Logger component

/etc/nxlog/nxlog.conf

NXLog configuration; how log data should be routed

These files will need to copy over when upgrading to a newer VM. Alternatively, they could be sym-linked to an external user data volume that persists across upgrades.

The VM does not need to accept any incoming network connections except for SSH and should only make outgoing connections via HTTPS. We expect configuration to be performed as the root user and set a root password of siem. It is critically important to change this password before exposing the VM to the Internet. If you would prefer to use a non-root account with sudo permissions to log in, that should work fine as well.

Common Setup

Prerequisites

You should have a PreVeil organization with an export approval group. There should be an export user that is a dedicated PreVeil user account that will be transferred onto the SIEM Logger. Additionally, the members of the export group (the approvers), will need to transfer their accounts. These could be dedicated approver accounts or existing accounts but must make up a quorum of the export group so they can vote to export log data automatically.

Initial Setup

  1. Connect to the VM, set up as described previously.

  2. Configure NXLog per its documentation. The default configuration file writes the data in syslog format to /var/log/pv_syslog.

  3. Edit the export start date in
    /siem-logger/bin/siem-logger/startdate.yaml. No activity logs with be retrieve prior to this date. Note that once initial setup is complete, this file will no longer be consulted.

  4. Transfer the exporter user's key:
    siem-logger config exporter «exporter user-id». This must be an admin user in your organization. Use the Add Device UI in the browser to perform the other side of the transfer.

  5. Transfer keys for two approver users:
    siem-logger config approver «approver user-id». These must be part of the export group for your organization.

  6. Restart services:
    supervisorctl restart all.

  7. Verify that all services are running:
    supervisorctl status.

Â