Enable Third-party Event Forwarding

EPM can integrate with SIEM to send audit logs through third-party applications and create a complete audit picture of privileged account activities in the enterprise SIEM solution. This section explains how to configure these third-party applications to export events gathered in EPM.

Configure Third-party Event Forwarding

  1. From the EPM Server Management Console go to Advanced and then to Server Configuration.

  2. In the Event Listeners section, click the Third-party Listeners value. The Change Configuration Parameter Value window appears.

    There are four possible third-party listeners:

    • Logstash - A system of log collection, processing, storage and searching activities.

    • Text File - A text file created in the EPM Server.

    • SysLog - A standard for message logging that permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.

    • Splunk - Captures, indexes and correlates real-time data in a searchable repository from which you can generate graphs, reports, alerts, dashboards and visualizations.

  3. Change the value to On to activate and configure the third-party listeners that you want. The parameters of the specific listener appear.

  4. Value the parameters for each activated third-party listener.

Understanding the SysLog Messages

The SysLog messages generated by the third-party event forwarding feature contain much information, but are complicated to read. The following tables show the message content. Each message consists of four sections - header, file information, event information, and file origin:

File Information

Event Information

File Origin