SIEM Audits
DSV can send audit records to four different types of listeners: syslog, cef, splunk and json. Each type have a corresponding format for log records and supports one or more transport protocols.
To configure a new SIEM endpoint, use the command:
Copy
dsv siem create
To show all available management commands for SIEM endpoints in DSV, run:
Copy
dsv siem --help
For every audit action, DSV will try twice to reach the endpoint. If the endpoint is unresponsive
after ten actions and retries, DSV will deregister the endpoint and mark it as failed. When viewed with
dsv siem read <name>, deregistered endpoints will have the field and value: "failed": true. The endpoint
must be recreated or updated to be used again.
Syslog
- Message format: syslog
- Transport protocols: UDP, TCP, TLS (the minimum TLS 1.2 is used)
Syslog messages must be in RFC 5424-compliant form. DSV will truncate messages over 64KB in length.
| Syslog | Audit |
|---|---|
| Timestamp | RFC3339 format |
| Priority | 191 |
| Version | 1 |
| Hostname | DSV URL (e.g., example.secretsvaultcloud.com) |
| MsgID | id |
| Appname | DSV |
| Message | usertoken + audit message |
| StructuredData | all other audit fields |
A user-specific token, generated by user, is inserted into each message to identify the user.
Sample syslog output
Copy
<191>1 2020-06-02T14:53:48Z example.secretsvaultcloud.com DSV - - [1 action=POST created=2020-06-02T14:51:36.519620577Z ipaddress=10.10.10.10 path=token principal=users:username principalItemId=00000000-51ea-4bfa-b272-80b12e43b676 tenant=tenant tenantName=tenantName] abcdef "
To start a SIEM configuration workflow, use the command:
Copy
dsv siem create
| Option | Description |
|---|---|
| Name | required, from 3 to 50 characters long configuration name |
| Type | required, select 'syslog' |
| Protocol | required, select one of 'tcp', 'udp' or 'tls' |
| Host | required, domain name or an IP address |
| Port | required, port number in range [0..65535] |
| Authentication method | required, select 'token' |
| Authentication | required, type a token that will be added to the begining of a syslog message |
| Logging format | required, select 'rfc5424' |
| Route through DSV engine | required, specify if SIEM messages should be sent through an engine pool to deliver to a service behind a firewall |
| Engine pool | string, specify which pool to use if previous question was answered affirmatively |
Sample Values
Copy
{
"siemType": "syslog",
"name": "syslogtest",
"host": "54.210.93.200",
"port": 8000,
"protocol": "tls",
"authMethod": "token",
"auth": "abcdef",
"loggingFormat": "rfc5424"
}
Common Event Format (CEF)
- Message format: CEF
- Transport protocols: UDP, TCP, TLS (the minimum TLS 1.2 is used)
| CEF | DSV Audit | description |
|---|---|---|
| Version | 0 | constant |
| Device Vendor | delinea | constant |
| Device Product | dsv | constant |
| Device Version | - | unused by dsv |
| Signature ID | id | audit field |
| Name | action | audit field |
| Severity | status | 200 -> 0 400 -> 1 401 -> 7 403 -> 7 404 -> 0 500 -> 0 anything else -> _ |
| Extension | all other audit fields |
Sample CEF output
Copy
CEF:0|delinea|dsv|-|b40e07d3-6fb9-41e8-9816-356de992b8fa|POST|0|action=POST created:2020-06-02T17:52:30.841020649Z id=b40e07d3-6fb9-41e8-9816-356de992b8fa ipaddress=10.10.10.10 message=login succeeded path=token principal=users:username principalItemId=f18b5bda-51ea-4bfa-b272-80b12e43b676 status=200 tenant=tenatID tenantName=tenantName
To start a SIEM configuration workflow, use the command:
Copy
dsv siem create
| Option | Description |
|---|---|
| Name | required, from 3 to 50 characters long configuration name |
| Type | required, select 'cef' |
| Protocol | required, select one of 'tcp', 'udp' or 'tls' |
| Host | required, domain name or an IP address |
| Port | required, port number in range [0..65535] |
| Authentication method | required, select 'token' |
| Authentication | required, but not used for 'cef' type |
| Logging format | required, select 'cef' |
| Route through DSV engine | required, specify if SIEM messages should be sent through an engine pool to deliver to a service behind a firewall |
| Engine pool | string, specify which pool to use if previous question was answered affirmatively |
Sample Values
Copy
{
"siemType": "cef",
"name": "syslogtest",
"host": "34.210.93.200",
"port": 8678,
"protocol": "udp",
"authMethod": "token",
"auth": "abcdef",
"loggingFormat": "cef"
}
JSON
- Message format: JSON
- Transport protocols: UDP, TCP, HTTP, HTTPS
DSV will send raw JSON audit via configure transport.
Sample JSON output
Copy
{"action":"POST","created":"2020-06-02T17:52:30.841020649Z","id":"b40e07d3-6fb9-41e8-9816-356de992b8fa","ipaddress":"10.10.10.10","message":"login succeeded","path":"token","principal":"users:user","principalItemId":"f18b5bda-51ea-4bfa-b272-80b12e43b676","status":"200","tenant":"tenat","tenantName":"tenantName"}
To start a SIEM configuration workflow, use the command:
Copy
dsv siem create
| Option | Description |
|---|---|
| Name | required, from 3 to 50 characters long configuration name |
| Type | required, select 'json' |
| Protocol | required, select one of 'tcp', 'udp', 'http' or 'https' |
| Host | required, domain name or an IP address |
| Port | required, port number in range [0..65535] |
| Endpoint | optional, used only for 'http' or 'https' transport to build an URL as http[s]://<host>:<port>/<endpoint> |
| Authentication method | required, select 'token' |
| Authentication | required, not used for 'tcp', 'udp' and added as 'Authorization' header for 'http' and 'https' |
| Logging format | required, select 'json' |
| Route through DSV engine | required, specify if SIEM messages should be sent through an engine pool to deliver to a service behind a firewall |
| Engine pool | string, specify which pool to use if previous question was answered affirmatively |
Sample Values
Copy
{
"siemType": "json",
"name": "syslogtest",
"host": "34.210.93.200",
"port": 443,
"protocol": "https",
"authMethod": "token",
"auth": "abcdef",
"loggingFormat": "json"
}
Splunk
- Message format: JSON in the format
{"event":{ <audit fields> }} - Transport protocols: HTTPS
To start a SIEM configuration workflow, use the command:
Copy
dsv siem create
| Option | Description |
|---|---|
| Name | required, from 3 to 50 characters long configuration name |
| Type | required, select 'splunk' |
| Protocol | required, select 'https' |
| Host | required, domain name or an IP address |
| Port | required, port number in range [0..65535] |
| Endpoint | optional, used to build an URL as https://<host>:<port>/<endpoint> |
| Authentication method | required, select 'token' |
| Authentication | required, a token added as 'Authorization' header to each request |
| Logging format | required, select 'json' |
| Route through DSV engine | required, specify if SIEM messages should be sent through an engine pool to deliver to a service behind a firewall |
| Engine pool | string, specify which pool to use if previous question was answered affirmatively |
Sample Configuration
Copy
{
"siemType": "splunk",
"name": "SplunkProd",
"host": "instance.splunkcloud.co",
"endpoint": "services/collector/event",
"port": 8088,
"protocol": "https",
"authMethod": "token",
"auth": "Splunk 84ba1399-87f2-000g-9b49-797ae7935244",
"loggingFormat": "json"
}
