SIEM Specific Instruction

How to configure SIEM applications to optimally receive logs.

ArcSight

ArcSight recommends that you name the certificate syslog-ng.

To name the certificate:

Convert the key to p12 format:

openssl pkcs12 -inkey syslogServer.key -in syslogServer.crt -export -out syslog-ng.p12 -name "syslogng-alias" -password pass:changeit

To make sure the environment variable ARCSIGHT_HOME is the connector install directory:

  1. Run the certificates manager on the Linux KDE console: $ARCSIGHT_HOME/current/bin/arcsight agent keytoolgui

  2. From the File menu, open the keystore: $ARCSIGHT_HOME/current/jre/lib/security/cacerts (password "changeit").

  3. From the menu, select Import Trusted Certificate.

  4. From the file dialog, select Ca.pem and save it.

  5. Save and close the certificate manager.

To edit the agent.properties file to enable mutual authentication:

Use vi $ARCSIGHT_HOME//current/user/agent/agent.properties:

  1. Change this value to true:

    syslogng.mutual.auth.enabled=false -> true

  2. Add these lines to the end:

    syslogng.tls.keystore.file=user/agent/syslog-ng.p12

    syslogng.tls.keystore.alias=syslogng-alias

  3. Run: /etc/init.d/arc_connector_name restart

Splunk

  1. Generate the server pem file:

    cat syslogServer.crt syslogServer.key RootCA.pem > splunk.pem

  2. Update the inputs.conf file on the Splunk server:

    vi /opt/splunk/etc/apps/search/local/inputs.conf

    [SSL]

    serverCert = /etc/ssl/my-certs/splunk.pem

    sslPassword = <Challenge Password>

    requireClientCert = true

    [tcp-ssl://<Port>]

    index = <Index>

  3. Update the server.conf file on the Splunk server

    vi /opt/splunk/etc/system/local/server.conf

    [sslConfig]

    sslRootCAPath = /etc/ssl/my-certs/RootCA.pem

  4. Restart Splun

    /opt/splunk/bin/splunk restart

QRadar

  1. In the Authentication Mode field, select TLS And Client Authentication.

    When you use Client Authentication, you must provide the absolute path to the client certificate.

  2. Upload the Check Point certificate and private key to QRadar and provide the absolute path to those under the Provide Certificate option.