Enable Third-party Event Forwarding
EPM can integrate with SIEM to send audit logs through third-party applications and create a complete audit picture of privileged account activities in the enterprise SIEM solution. This section explains how to configure these third-party applications to export events gathered in EPM.
Configure Third-party Event Forwarding
-
From the EPM Server Management Console go to Advanced and then to Server Configuration.
-
In the Event Listeners section, click the Third-party Listeners value. The Change Configuration Parameter Value window appears.
There are four possible third-party listeners:
-
Logstash - A system of log collection, processing, storage and searching activities.
-
Text File - A text file created in the EPM Server.
-
SysLog - A standard for message logging that permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them.
-
Splunk - Captures, indexes and correlates real-time data in a searchable repository from which you can generate graphs, reports, alerts, dashboards and visualizations.
-
-
Change the value to On to activate and configure the third-party listeners that you want. The parameters of the specific listener appear.
-
Value the parameters for each activated third-party listener.
Understanding the SysLog Messages
The SysLog messages generated by the third-party event forwarding feature contain much information, but are complicated to read. The following tables show the message content. Each message consists of four sections - header, file information, event information, and file origin:
Header
Field |
Description |
---|---|
setID |
Set ID |
setName |
Set name |
agentID |
Agent ID |
computerName |
Name of the computer where the Agent resides |
eventID |
Event ID |
File Information
Field |
Description |
---|---|
targetType |
File type. See the File Type table |
Owner |
File owner in the form Domain\User, where available |
reqExecLevel |
RequestedExecutionLevel from the assembly manifest. Possible values include asInvoker, highestAvailable, and requireAdministrator |
Description |
Agent generated description suitable for GUI display |
Publisher |
File publisher value extracted from the file digital signature, where available |
Hash |
File hash and the algorithm used to calculate the hash in the form "AlgorithmName##HashValue", where available |
Path |
For most events, this field contains the file path. For ActiveX event, this field contains the installation file name (CAB file), where available |
LocType |
A string value from policy_defs.h specifying the type of path (remote, fixed, and so on) |
Size |
Size of the file |
ModifTime |
Time when the file was modified |
V1 |
This value depends on the file type. See the File Type table |
V2 |
This value depends on the file type. See the File Type table |
V3 |
This value depends on the file type. See the File Type table |
V4 |
This value depends on the file type. See the File Type table |
V5 |
This value depends on the file type. See the File Type table |
V6 |
This value depends on the file type. See the File Type table |
Event Information
Field |
Description |
Values |
---|---|---|
Event Type |
The type of the event |
|
Reliability |
Indicates whether the event source is reliable or not. Relevant only for ZeroTouchEvent type events |
|
TargetType |
Event type. See the File Type table |
|
Owner |
File owner in the form Domain\User, where available |
|
reqExecLevel |
RequestedExecutionLevel from the assembly manifest |
Possible values:
|
targetId |
Unique ID of the target |
|
policyId |
Unique ID of the policy |
|
policyAction |
The action of the policy |
|
count |
The number of zero-touch events related to the specified file |
|
user |
User name in form Domain\User |
|
userIsAdmin |
True if user has Admin rights |
|
timeFirst |
Time of the first zero-touch event related to the specified file |
|
timeLast |
Time of the last zero-touch event related to the specified file |
|
policyName |
Policy display name |
|
policyGpId |
N/R |
|
vfGpoId |
N/R |
|
justification |
Optional free text comment entered by user |
|
|
Optional email to notify user that there is a policy |
|
The following table shows the various file types, their values, and the Value fields for each file:
File Type |
File Type Value |
Value Fields |
---|---|---|
Computer or User |
1 |
|
EXE |
3 |
Value 1 - Command line arguments Value 2 - File description Value 3 - File version Value 4 - Product name Value 5 - Product version Value 6 - Company name |
Script |
4 |
Value 1 - Command line arguments |
MSI |
5 |
Value 1 - Product code Value 2 - Upgrade code Value 3 - Version Value 4 - Product name Value 5 - Manufacturer |
MSU |
6 |
|
URL |
7 |
Value 1 - URL |
Admin Task |
8 |
Value 1 - Arguments Value 2 - Admin task ID |
ActiveX |
9 |
Value 1 - Code URL Value 2 - CL SID Value 3 - Version Value 4 - MIME type |
Manual Request |
11 |
|
Events Skipped |
12 |
|
COM |
15 |
Value 1 - CL SID |
Windows app |
20 |
Value 1 – App package name Value 2 – App pckage display name Value 3 – App package version |
DLL |
21 |
Value 2 – File description Value 3 – File version Value 4 – Product name Value 5 – Product version Value 6 – Company name |
macOS PKG |
22 |
Value 1 - Command line arguments Value 2 - Bundlle ID Value 4 - Bundlle Name Value 5 - Bundlle Version |
macOS System & preferences |
23 |
Value 2 - Admin task id Value 3 – Right name |
macOS exe |
24 |
Value 1 - Command line arguments Value 2 - Bundlle ID Value 4 - Bundlle Name Value 5 - Bundlle Version |
macOS DMG |
26 |
Value 2 - Bundlle ID Value 4 - Bundlle Name Value 5 - Bundlle Version |
Field |
Description |
Values |
---|---|---|
AccessTargetType |
The restricted target |
|
AccessTarget |
Description of the access target (path of registry key, URL address, and so on) |
|
allowed |
Whether access to target was allowed |
|
zerotTouch |
Whether the event was sent to inboxes or to the Policy usage |
|
fullTrace |
Whether full trace was written for this target |
|
OsProcessId |
PID of the process |
|
OsProcessStartTime |
Start time of the process |
|
RestrictedObjectId |
Unique ID of the rule that triggered the event |
|
Field |
Description |
Values |
---|---|---|
OsProcessId |
PID of the process |
|
OsProcessStartTime |
Start time of the process |
|
localIpv4Ips |
List of DWORD Ipv4 IPs from which accesses were recorded |
|
localIpv6Ips |
List of String Ipv6 IPs from which accesses were recorded |
|
List of individual Network Access instances, each of which contains: | ||
IPV4 |
IPv4 target address |
|
IPV6 |
IPv6 target address |
|
port |
Target port |
|
HostName |
Target FQDN, if available |
|
Count |
Number of connections made to this IP in the time interval |
|
Timefirst |
First time this IP has been accessed |
|
TimeLast |
Last time this IP has been accessed |
|
File Origin
Field |
Description |
Required |
---|---|---|
FileOrigin |
The root element name |
|
Attributes |
||
preexisted |
If preexisted is True, the file has been created before the Agent installation, and FileOrigin does not have any other attributes or child elements. When Application Control data is collected and preexisted is True, the File child element is found |
|
Child elements |
||
File |
Contains the original name and hash of the file For attributes and child elements, see the File table |
Optional |
Installer |
Contains information about the file creation or last modification For attributes and child elements, see the Installer table |
|
ParentInstaller |
Contains information about the file creation or last modification for one of the file's parent processes For attributes and child elements, see the Installer table |
Optional |
Process |
Describes the process that created or modified the file or one of its parent processes. There can be multiple Process elements element. For attributes and child elements, see the Process table |
|
Package |
Describes the file installation package - MSI, EXE or EMAIL For attributes and child elements, see the Package table |
Optional |
Field |
Description |
Required |
---|---|---|
Attributes |
||
hash |
File hash value. This attribute is valid only if the hashAlgorithm attribute is present |
|
hashAlgorithm |
ID of the algorithm used to calculate the hash. This attribute is valid only if the hash attribute is present. Supported values are ZLIB:CRC32 or SHA1 |
|
Child elements |
||
Path |
File full path |
|
Installer |
Contains information about the file creation or last modification |
|
installTime |
Installer attribute. The time when the file was created or modified |
|
Process |
Installer child element. The process that created or modified the file or one of its parent process. There can be multiple Process elements under Installer |
|
Package |
Installer child element. The file installation package (MSI, EXE, or EMAIL). There can be multiple Process elements under Installer or ParentInstaller. This element is not used together with CopySrcPath |
Optional |
CopySrcPath |
Installer child element. The remote location from where the file was copied. This element is not used together with Package |
Optional |
ParentInstaller |
Contains information about the file creation or last modification for one of the file's parent processes |
Optional |
Process |
Describes the process that created or modified the file or one of its parent processes. There can be multiple Processelements fields under each Installer or ParentInstaller element field |
|
Package |
Describes the file installation package - MSI, EXE or EMAIL |
Optional |
Field |
Description |
Required |
---|---|---|
Attributes |
||
installTime |
The time when the file was created or modified |
|
Child elements |
||
Process |
The process that created or modified the file or one of its parent process. There can be multiple Process elements under Installer |
|
Package |
The file installation package (MSI, EXE, or EMAIL). There can be multiple Process elements under Installer or ParentInstaller. This element is not used together with CopySrcPath |
Optional |
CopySrcPath |
The source path of the file. This element is not used together with Package |
Optional |
Field |
Description |
Required |
---|---|---|
Attributes |
||
order |
The order of the process in the process stack. The process that created or modified the file has order equal to 0, its direct parent has order 1, and so on |
|
isSetup |
If True, indicates that this is an installation process (either an MSI client process or an EXE installer). Default value is False |
Optional |
multiFileCreator |
If True, indicates that the process matched the Developer Application (MultiFileCreator) policy. Default value is False |
Optional |
wellKnown |
Indicates that this is a well-known process. Values:
|
Optional |
hash |
Process image file hash value. This attribute is valid only if the hashAlgorithm attribute is present |
Optional |
hashAlgorithm |
ID of the algorithm used to calculate the hash. This attribute is valid only if the hash attribute is present. Supported values are ZLIB:CRC32 or SHA1 |
Optional |
publisher |
Process image file publisher |
Optional |
productName |
Product name |
Optional |
fileDescr |
Process image file description |
Optional |
srcTypes |
Comma separated list of Parent Types:
|
Optional |
softDistrName |
If the process is a predefined or custom Software Distributor (or Updater), this attribute is set to the Updater or Distributor name |
Optional |
urlZone |
Numeric value when the process image file contains a Zone.Identifier alternate data stream |
Optional |
Child elements |
||
Path |
The process image path |
|
Args |
Command line arguments |
Optional |
SvcNames |
If the process is running as a Windows Service, contains the Windows Service name (or names separated by a forward slash '/') |
Optional |
User |
Describes the process user and the security groups the user belongs to |
Optional |
CopySrcPath |
The source path of the process image file |
Optional |
Field |
Description |
Required |
---|---|---|
Attributes |
||
type |
The installation package type - MSI, EXE or EMAIL |
|
hash |
Package file hash value. This attribute is valid only if the hashAlgorithm attribute is present |
Optional |
hashAlgorithm |
ID of the algorithm used to calculate the hash. This attribute is valid only if the hash attribute is present. Supported values are ZLIB:CRC32 or SHA1 |
Optional |
publisher |
Package file publisher |
Optional |
productName |
Package product name |
Optional |
productVersion |
Package product version |
Optional |
manufacturer |
Available for MSI packages only
|
|
productCode |
||
upgradeCode |
||
receivedTime |
Email received time in 64-bit decimal UTC time. Available for EMAIL packages only |
|
entryId |
Outlook item EntryId property. Available for EMAIL packages only |
Optional |
storeId |
Outlook folder StoreId property. Available for EMAIL packages only |
Optional |
emailType |
Valued with Outlook. Available for EMAIL packages only |
Optional |
Child elements |
||
Path |
The package file path. Available for MSI and EXE packages only. |
|
SenderAddress |
Email sender address. Available for EMAIL packages only |
Optional |
Subject |
Email subject. Available for EMAIL packages only |
Optional |
Field |
Description |
Required |
---|---|---|
Attributes |
||
locationType |
The location type. Values - FIXED, REMOVABLE, REMOTE, CDROM, INTERNET, LOCALSHARE |
|
localShareName |
The name of the local shared directory used to copy the file to the local computer, if locationType is valued with LOCALSHARE |
Optional |
Field |
Description |
Required |
---|---|---|
Attributes |
||
locationType |
The location type. Values - FIXED, REMOVABLE, REMOTE, CDROM |
Optional |
isTemp |
If True, indicates that the path is under the user's %TEMP% folder. Default value is False |
Optional |
Field |
Description |
Required |
---|---|---|
Attributes |
||
sid |
The user SID string |
|
name |
The user name, for debugging use only |
|
Child elements |
||
Group |
Security group the user belongs to |
|