SIEM integration using Kafka or Logstash based data connector 编辑

October 26, 2022 Contributed by:  C M

SIEM integration using Kafka or Logstash based data connector

Note

Contact CAS-PM-Ext@citrix.com
to request assistance for your SIEM integration, exporting data to your SIEM, or provide feedback.

You can integrate Citrix Analytics for Security with your SIEM solutions that support the Kafka endpoints or the Logstash engine. This integration enables you to export and correlate the users’ data from the Citrix IT environment to your SIEM environment and get deeper insights into your organization’s security posture.

For more information about the benefits of the integration and the type of processed data that is sent to your SIEM, see Security Information and Event Management integration
.

If your SIEM supports Kafka endpoints, use the parameters provided in the Logstash config file and the certificate details in the JKS file or the PEM file to integrate your SIEM with Citrix Analytics for Security.

The following parameters are required to integrate using Kafka:

  • User name

  • Host

  • Topic name

  • Security protocol

  • SASL mechanisms

  • SSL truststore location

  • Session timeout

  • Auto offset reset

If your SIEM does not support Kafka endpoints, then you can use the Logstash data collection engine. You can send the processed data from Citrix Analytics for Security to one of the output plug-ins
that are supported by Logstash.

This article describes the steps that you must follow to integrate your SIEM with Citrix Analytics for Security by using Logstash.


Prerequisites

  • Turn on data processing for at least one data source. It helps Citrix Analytics for Security to begin the integration with your SIEM tool.

  • Ensure that the following endpoint is in the allow list in your network.

    EndpointUnited States regionEuropean Union regionAsia Pacific South region
    Kafka brokerscasnb-0.citrix.com:9094casnb-eu-0.citrix.com:9094casnb-aps-0.citrix.com:9094
     casnb-1.citrix.com:9094casnb-eu-1.citrix.com:9094casnb-aps-1.citrix.com:9094
     casnb-2.citrix.com:9094casnb-eu-2.citrix.com:9094casnb-aps-2.citrix.com:9094
     casnb-3.citrix.com:9094  


Integrate with a SIEM service using Logstash

  1. Go to Settings > Data Exports.

  2. On the Account set up page, create an account by specifying the user name and a password. This account is used to prepare a configuration file, which is required for integration.

    SIEM config page

  3. Ensure that the password meets the following conditions:

    SIEM password requirements

  4. Select Configure to generate the Logstash configuration file.

    Configure other SIEMs

  5. Select the Others tab to download the configuration files.

    • Logstash config file: This file contains the configuration data (input, filter, and output sections) for sending events from Citrix Analytics for Security using the Logstash data collection engine. For information on Logstash config file structure, see the Logstash
      documentation.

    • JKS file: This file contains the certificates required for SSL connection. This file is required when you integrate your SIEM using Logstash.

    • PEM file: This file contains the certificates required for SSL connection. This file is required when you integrate your SIEM using Kafka.

      Note

      These files contain sensitive information. Keep them in a safe and secure location.

    Select others tab

  6. Configure Logstash:

    1. On your Linux or Windows host machine, install Logstash
      . You can also use your existing Logstash instance.

    2. On the host machine where you have installed Logstash, place the following files in the specified directory:

      Host machine typeFile nameDirectory path
      LinuxCAS_Others_LogStash_Config.configFor Debian and RPM packages: /etc/logstash/conf.d/
        For .zip and .tar.gz archives: {extract.path}/config
       kafka.client.truststore.jksFor Debian and RPM packages: /etc/logstash/ssl/
        For .zip and .tar.gz archives: {extract.path}/ssl
      WindowsCAS_Others_LogStash_Config.configC:\logstash-7.xx.x\config
       kafka.client.truststore.jks 
    3. Open the Logstash config file and do the following:

      In the input section of the file, enter the following information:

      • Password: The password of the account that you have created in Citrix Analytics for Security to prepare the configuration file.

      • SSL truststore location: The location of your SSL client certificate. This is the location of the kafka.client.truststore.jks file in your host machine.

      Other SIEM input section

      In the output section of the file, enter the destination path or details where you want to send the data. For information on the output plug-ins, see the Logstash
      documentation.

      The following snippet shows that the output is written to a local log file.

      Other SIEM output section

    4. Restart your host machine to send processed data from Citrix Analytics for Security to your SIEM service.

After configuration is complete, log in to your SIEM service and verify the Citrix Analytics data in your SIEM.


Turn on or off data transmission

After Citrix Analytics for Security prepares the configuration file, data transmission is turned on for your SIEM.

To stop transmitting data from Citrix Analytics for Security:

  1. Go to Settings > Data Exports.
  2. Turn off the toggle button to disable the data transmission. By default the data transmission always enabled.

    SIEM transmission turn off

    A warning window appears for your confirmation. Click Turn off data transmission button to stop the transmission activity.

    SIEM transmission turn off warning

To enable data transmission again, turn on the toggle button.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:28 次

字数:10917

最后编辑:7 年前

编辑次数:0 次

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文