Skip to main content
Skip table of contents

Auditing - SIEM events

SIEM activities for websecadmin admin can be found here:
/var/log/veridiumid/websecadmin/events.log
SIEM activities fro Application user activities (login, etc) can be found here:
/var/log/veridiumid/tomcat/events.log

Example of events - see excel file:

Users_SEM.xlsx

How rsyslog works:

→ it monitors specific events/files on the system and send by default to /var/log/messages but it also can send them to a rsyslog server.

→ Veridium can have configured 2 files to be send to Rsyslog server (see below configuration examples)

(based on article https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-syslog-server-on-centos-7-rhel-7.html )

How to configure rsyslog in order to deliver the events to a rsyslog: 

Due to the fact that logrotate with copytruncate is configured, the following configurations should be done in rsyslog file (this can be added in /etc/rsyslog.conf or in /etc/rsyslog.d/events.conf). Please fill in the proper IP of rsyslog server.

This should be configured on each webapp.

CODE
module(load="imfile" PollingInterval="10")
input(type="imfile" File="/var/log/veridiumid/websecadmin/events.log" Tag="ver-adminevents" reopenOnTruncate="on")
input(type="imfile" File="/var/log/veridiumid/tomcat/events.log" Tag="ver-events" reopenOnTruncate="on")

if $programname == 'ver-events' then @@10.10.10.10:514
if $programname == 'ver-adminevents' then @@10.10.10.10:514

 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.