SIEM Specific Instruction

How to configure SIEM applications to optimally receive logs.

ArcSight

ArcSight recommends that you name the certificate syslog-ng.

To name the certificate:

Convert the key to p12 format:

openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslog-ng.p12 -name "syslogng-alias" -password pass:changeit

To make sure the environment variable ARCSIGHT_HOME is the connector install directory:

Run the certificates manager on the Linux KDE console: $ARCSIGHT_HOME/current/bin/arcsight agent keytoolgui
From the File menu, open the keystore: $ARCSIGHT_HOME/current/jre/lib/security/cacerts (password "changeit").
From the menu, select Import Trusted Certificate.
From the file dialog, select Ca.pem and save it.
Save and close the certificate manager.

To edit the agent.properties file to enable mutual authentication:

Use vi $ARCSIGHT_HOME//current/user/agent/agent.properties:

Change this value to true:
syslogng.mutual.auth.enabled=false -> true
Add these lines to the end:
syslogng.tls.keystore.file=user/agent/syslog-ng.p12

syslogng.tls.keystore.alias=syslogng-alias
Run: /etc/init.d/arc_connector_name restart

Splunk

Generate the server pem file:
cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem
Update the inputs.conf file on the Splunk server:
vi /opt/splunk/etc/apps/search/local/inputs.conf

[SSL]

serverCert = /etc/ssl/my-certs/splunk.pem

sslPassword = <challenge password>

requireClientCert = true

[tcp-ssl://<port>]

index = <index>
Update the server.conf file on the Splunk server
vi /opt/splunk/etc/system/local/server.conf

[sslConfig]

sslRootCAPath = /etc/ssl/my-certs/RootCA.pem
Restart Splunk
/opt/splunk/bin/splunk restart

QRadar

In the Authentication Mode field, select TLS And Client Authentication.
When you use Client Authentication, you must provide the absolute path to the client certificate.
Upload the Check Point certificate and private key to QRadar and provide the absolute path to those under the Provide Certificate option.