Auditing - SIEM events
SIEM activities for websecadmin admin can be found here:
/var/log/veridiumid/websecadmin/events.log
SIEM activities fro Application user activities (login, etc) can be found here:
/var/log/veridiumid/tomcat/events.log
Example of events - see excel file:
How rsyslog works:
→ it monitors specific events/files on the system and send by default to /var/log/messages but it also can send them to a rsyslog server.
→ Veridium can have configured 2 files to be send to Rsyslog server (see below configuration examples)
(based on article https://www.itzgeek.com/how-tos/linux/centos-how-tos/setup-syslog-server-on-centos-7-rhel-7.html )
How to configure rsyslog in order to deliver the events to a rsyslog:
Due to the fact that logrotate with copytruncate is configured, the following configurations should be done in rsyslog file (this can be added in /etc/rsyslog.conf or in /etc/rsyslog.d/events.conf). Please fill in the proper IP of rsyslog server.
This should be configured on each webapp.
module(load="imfile" PollingInterval="10")
input(type="imfile" File="/var/log/veridiumid/websecadmin/events.log" Tag="ver-adminevents" reopenOnTruncate="on")
input(type="imfile" File="/var/log/veridiumid/tomcat/events.log" Tag="ver-events" reopenOnTruncate="on")
if $programname == 'ver-events' then @@10.10.10.10:514
& stop
if $programname == 'ver-adminevents' then @@10.10.10.10:514
& stop