Enable Third-party Event Forwarding

EPM can integrate with SIEM to send audit logs through third-party applications and create a complete audit picture of privileged account activities in the enterprise SIEM solution. This section explains how to configure these third-party applications to export events gathered in EPM.

Configure Third-party Event Forwarding

From the EPM Server Management Console go to Advanced and then to Server Configuration.
In the Event Listeners section, click the Third-party Listeners value. The Change Configuration Parameter Value window appears.

There are four possible third-party listeners:
- Logstash - A system of log collection, processing, storage and searching activities.
- Text File - A text file created in the EPM Server.
- SysLog - A standard for message logging that permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.
- Splunk - Captures, indexes and correlates real-time data in a searchable repository from which you can generate graphs, reports, alerts, dashboards and visualizations.
Change the value to On to activate and configure the third-party listeners that you want. The parameters of the specific listener appear.
Value the parameters for each activated third-party listener.

Understanding the SysLog Messages

The SysLog messages generated by the third-party event forwarding feature contain much information, but are complicated to read. The following tables show the message content. Each message consists of four sections - header, file information, event information, and file origin:

Header

Field	Description
setID	Set ID
setName	Set name
agentID	Agent ID
computerName	Name of the computer where the Agent resides
eventID	Event ID

File Information

Field	Description
targetType	File type. See the File Type table
Owner	File owner in the form Domain\User, where available
reqExecLevel	RequestedExecutionLevel from the assembly manifest. Possible values include asInvoker, highestAvailable, and requireAdministrator
Description	Agent generated description suitable for GUI display
Publisher	File publisher value extracted from the file digital signature, where available
Hash	File hash and the algorithm used to calculate the hash in the form "AlgorithmName##HashValue", where available
Path	For most events, this field contains the file path. For ActiveX event, this field contains the installation file name (CAB file), where available
LocType	A string value from policy_defs.h specifying the type of path (remote, fixed, and so on)
Size	Size of the file
ModifTime	Time when the file was modified
V1	This value depends on the file type. See the File Type table
V2	This value depends on the file type. See the File Type table
V3	This value depends on the file type. See the File Type table
V4	This value depends on the file type. See the File Type table
V5	This value depends on the file type. See the File Type table
V6	This value depends on the file type. See the File Type table

Event Information

Field	Description	Values
Event Type	The type of the event	ZeroTouchEvent = default policy events PolicyAuditEvent = Audit events FileChangeInfo = Changing file name events (driven from App Catalog activity) RestrAccessEvent = Restricted access events See the RestrAccessEvent table NetworkAccessEvent = Network access events See the NetworkAccessEvent table
Reliability	Indicates whether the event source is reliable or not. Relevant only for ZeroTouchEvent type events	low = 0 Medium = 1 High = 2
TargetType	Event type. See the File Type table
Owner	File owner in the form Domain\User, where available
reqExecLevel	RequestedExecutionLevel from the assembly manifest	Possible values: asInvoker highestAvailable requireAdministrator
targetId	Unique ID of the target
policyId	Unique ID of the policy
policyAction	The action of the policy	INVALID = 0 Normal Run = 1 Block = 2 Elevate = 3 Elevate on Demand = 4 Collect UAC = 5 Collect Zero Touch = 6 Logoff = 7 Comp Action = 8 Run Script = 9 Configuration = 10 Set Security = 11 Exclude = 12 Software Distributor = 13 Restricted Run = 14 Endpoint Protection = 15 Endpoint Protection Global = 16 Loosely Connected Devices=17 Multi File Creator = 18
count	The number of zero-touch events related to the specified file
user	User name in form Domain\User
userIsAdmin	True if user has Admin rights
timeFirst	Time of the first zero-touch event related to the specified file
timeLast	Time of the last zero-touch event related to the specified file
policyName	Policy display name
policyGpId	N/R
vfGpoId	N/R
justification	Optional free text comment entered by user
email	Optional email to notify user that there is a policy

File Type

The following table shows the various file types, their values, and the Value fields for each file:

File Type	File Type Value	Value Fields
Computer or User	1
EXE	3	Value 1 - Command line arguments Value 2 - File description Value 3 - File version Value 4 - Product name Value 5 - Product version Value 6 - Company name
Script	4	Value 1 - Command line arguments
MSI	5	Value 1 - Product code Value 2 - Upgrade code Value 3 - Version Value 4 - Product name Value 5 - Manufacturer
MSU	6
URL	7	Value 1 - URL
Admin Task	8	Value 1 - Arguments Value 2 - Admin task ID
ActiveX	9	Value 1 - Code URL Value 2 - CL SID Value 3 - Version Value 4 - MIME type
Manual Request	11
Events Skipped	12
COM	15	Value 1 - CL SID
Windows app	20	Value 1 – App package name Value 2 – App pckage display name Value 3 – App package version
DLL	21	Value 2 – File description Value 3 – File version Value 4 – Product name Value 5 – Product version Value 6 – Company name
macOS PKG	22	Value 1 - Command line arguments Value 2 - Bundlle ID Value 4 - Bundlle Name Value 5 - Bundlle Version
macOS System & preferences	23	Value 2 - Admin task id Value 3 – Right name
macOS exe	24	Value 1 - Command line arguments Value 2 - Bundlle ID Value 4 - Bundlle Name Value 5 - Bundlle Version
macOS DMG	26	Value 2 - Bundlle ID Value 4 - Bundlle Name Value 5 - Bundlle Version

RestrAccessEvent

Field	Description	Values
AccessTargetType	The restricted target	0 - Internet 1 - Local File System 2 - Registry 3 - Network Share 4 - Intranet 5 - Process Memory
AccessTarget	Description of the access target (path of registry key, URL address, and so on)
allowed	Whether access to target was allowed	Yes No
zerotTouch	Whether the event was sent to inboxes or to the Policy usage	Yes - sent to inboxes No - sent to Policy usage
fullTrace	Whether full trace was written for this target	Yes No
OsProcessId	PID of the process
OsProcessStartTime	Start time of the process Used together with OsProcessId to uniquely identify the process
RestrictedObjectId	Unique ID of the rule that triggered the event

NetworkAccessEvent

Field	Description	Values
OsProcessId	PID of the process
OsProcessStartTime	Start time of the process Used together with OsProcessId to uniquely identify the process
localIpv4Ips	List of DWORD Ipv4 IPs from which accesses were recorded
localIpv6Ips	List of String Ipv6 IPs from which accesses were recorded
List of individual Network Access instances, each of which contains:
IPV4	IPv4 target address
IPV6	IPv6 target address
port	Target port
HostName	Target FQDN, if available
Count	Number of connections made to this IP in the time interval
Timefirst	First time this IP has been accessed
TimeLast	Last time this IP has been accessed

File Origin

Field	Description	Required
FileOrigin	The root element name
Attributes
preexisted	If preexisted is True, the file has been created before the Agent installation, and FileOrigin does not have any other attributes or child elements. When Application Control data is collected and preexisted is True, the File child element is found
Child elements
File	Contains the original name and hash of the file For attributes and child elements, see the File table	Optional
Installer	Contains information about the file creation or last modification For attributes and child elements, see the Installer table
ParentInstaller	Contains information about the file creation or last modification for one of the file's parent processes For attributes and child elements, see the Installer table	Optional
Process	Describes the process that created or modified the file or one of its parent processes. There can be multiple Process elements element. For attributes and child elements, see the Process table
Package	Describes the file installation package - MSI, EXE or EMAIL For attributes and child elements, see the Package table	Optional

File

Field	Description	Required
Attributes
hash	File hash value. This attribute is valid only if the hashAlgorithm attribute is present
hashAlgorithm	ID of the algorithm used to calculate the hash. This attribute is valid only if the hash attribute is present. Supported values are ZLIB:CRC32 or SHA1
Child elements
Path	File full path For attributes and child elements, see the Path table
Installer	Contains information about the file creation or last modification
installTime	Installer attribute. The time when the file was created or modified
Process	Installer child element. The process that created or modified the file or one of its parent process. There can be multiple Process elements under Installer
Package	Installer child element. The file installation package (MSI, EXE, or EMAIL). There can be multiple Process elements under Installer or ParentInstaller. This element is not used together with CopySrcPath	Optional
CopySrcPath	Installer child element. The remote location from where the file was copied. This element is not used together with Package	Optional
ParentInstaller	Contains information about the file creation or last modification for one of the file's parent processes	Optional
Process	Describes the process that created or modified the file or one of its parent processes. There can be multiple Processelements fields under each Installer or ParentInstaller element field
Package	Describes the file installation package - MSI, EXE or EMAIL	Optional

Installer

Field	Description	Required
Attributes
installTime	The time when the file was created or modified
Child elements
Process	The process that created or modified the file or one of its parent process. There can be multiple Process elements under Installer
Package	The file installation package (MSI, EXE, or EMAIL). There can be multiple Process elements under Installer or ParentInstaller. This element is not used together with CopySrcPath	Optional
CopySrcPath	The source path of the file. This element is not used together with Package For attributes and child elements, see the CopySrcPath table	Optional

Process

Field	Description	Required
Attributes
order	The order of the process in the process stack. The process that created or modified the file has order equal to 0, its direct parent has order 1, and so on
isSetup	If True, indicates that this is an installation process (either an MSI client process or an EXE installer). Default value is False	Optional
multiFileCreator	If True, indicates that the process matched the Developer Application (MultiFileCreator) policy. Default value is False	Optional
wellKnown	Indicates that this is a well-known process. Values: explorer iexplore services svchost msiexec cmd taskmgr wscript ftp chrome safari firefox opera skype icq totalcmd outlook browser_broker system	Optional
hash	Process image file hash value. This attribute is valid only if the hashAlgorithm attribute is present	Optional
hashAlgorithm	ID of the algorithm used to calculate the hash. This attribute is valid only if the hash attribute is present. Supported values are ZLIB:CRC32 or SHA1	Optional
publisher	Process image file publisher	Optional
productName	Product name	Optional
fileDescr	Process image file description	Optional
srcTypes	Comma separated list of Parent Types: Internet eMail SoftwareDistributor Share Removable CDROM	Optional
softDistrName	If the process is a predefined or custom Software Distributor (or Updater), this attribute is set to the Updater or Distributor name	Optional
urlZone	Numeric value when the process image file contains a Zone.Identifier alternate data stream	Optional
Child elements
Path	The process image path For attributes and child elements, see the Path table
Args	Command line arguments	Optional
SvcNames	If the process is running as a Windows Service, contains the Windows Service name (or names separated by a forward slash '/')	Optional
User	Describes the process user and the security groups the user belongs to For attributes and child elements, see the User table	Optional
CopySrcPath	The source path of the process image file For attributes and child elements, see the CopySrcPath table	Optional

Package

Field	Description	Required
Attributes
type	The installation package type - MSI, EXE or EMAIL
hash	Package file hash value. This attribute is valid only if the hashAlgorithm attribute is present	Optional
hashAlgorithm	ID of the algorithm used to calculate the hash. This attribute is valid only if the hash attribute is present. Supported values are ZLIB:CRC32 or SHA1	Optional
publisher	Package file publisher	Optional
productName	Package product name	Optional
productVersion	Package product version	Optional
manufacturer	Available for MSI packages only
productCode
upgradeCode
receivedTime	Email received time in 64-bit decimal UTC time. Available for EMAIL packages only
entryId	Outlook item EntryId property. Available for EMAIL packages only	Optional
storeId	Outlook folder StoreId property. Available for EMAIL packages only	Optional
emailType	Valued with Outlook. Available for EMAIL packages only	Optional
Child elements
Path	The package file path. Available for MSI and EXE packages only. For attributes and child elements, see the Path table
SenderAddress	Email sender address. Available for EMAIL packages only	Optional
Subject	Email subject. Available for EMAIL packages only	Optional

CopySrcPath

Field	Description	Required
Attributes
locationType	The location type. Values - FIXED, REMOVABLE, REMOTE, CDROM, INTERNET, LOCALSHARE
localShareName	The name of the local shared directory used to copy the file to the local computer, if locationType is valued with LOCALSHARE	Optional

Path

Field	Description	Required
Attributes
locationType	The location type. Values - FIXED, REMOVABLE, REMOTE, CDROM	Optional
isTemp	If True, indicates that the path is under the user's %TEMP% folder. Default value is False	Optional

User

Field	Description	Required
Attributes
sid	The user SID string
name	The user name, for debugging use only
Child elements
Group	Security group the user belongs to