Setting up a SysLog Connection

Privilege Manager can push out SysLog formatted messages on a set schedule. Note that this does not happen immediately upon events occurring. Listed below are steps for configuration and task creation for scheduling the action of sending Discovery Event logs to a SysLog server.

Splunk Cloud doesn't support input directly from Privilege Manager. Refer to the Splunk documentation and reach out to Splunk support as needed.

Configuring SysLog Connection

The Send policy feedback option needs to be enabled on all policies that are supposed to send SysLog formatted events.

To configure SysLog messages in Privilege Manager:

Navigate to Admin | Configuration and select the Foreign Systems tab.
At the SysLog page, click Create. Select a template for the messages, provide a Name and the SysLog Server Address (either tcp or udp). The default is udp on port 514.
Once the server is created, you can use Edit to change any of the configuration settings.

The protocol drop-down options are UDP, TCP, and Devo Cloud Services (HTTPS).
Select a protocol and supply the requested parameters, then click Save Changes. (In this example, the Devo cloud services (HTTPS) protocol is selected, and the URL of your Devo cloud instance should be supplied.)

Setting up SysLog Server Tasks

After adding a new Syslog connection, to manually send logs to your Syslog Server go to Admin | Tasks.
Expand the Server Tasks folder, then Foreign Systems, select SysLog and click Create.
From the Template drop-down, for example select Send SysLog Application Events.
Add a Name for this task, an Event Name (e.g. “Privilege Manager Application Events”), and Event Severity.
From the SysLog System drop-down select your SysLog server foreign system (configured above).
Optionally also enter a Security Ratings Provider, depending on your other integrations. Use the "X" next to the pull-down to remove a selection.
Click Create.

Once created, you'll be taken to the new Scheduled Task's page where you can run the task on demand and/or specify how often you want events received by Privilege Manager (i.e., all events viewed in Admin | Event Discovery) to be pushed out to the SysLog server. The schedule can be hourly, every 30 minutes, daily, or whatever time period is preferred.

After this task runs and successfully completes, verify that Event Discovery events appear in your SysLog system.

Template Options

The following template options are available:

Send SysLog Application Action Events - Use this template to send application action events to your SysLog system. Application Action Events contain generic information about the application that run, which policy was triggered, the date/time stamp, computer, and user for example.
Send SysLog Application Justification Events - Use this template to send application justification events to your SysLog system. For example, if a user runs an application requiring a justification workflow.
Send SysLog Bad Rated Application Action Events - Use this template to send an event to your SysLog system, when an application is being installed or executed, that is identified with a bad security rating.
Send SysLog Change History Events - Use this template to send change history events to your SysLog system. When this task runs for the first time, it sends all change history to your SysLog server. On subsequent runs it only sends the delta of new change history events.
Send SysLog Events - Use this template to send all SysLog events to your SysLog system. These events are based on the different options you selected on the SysLog server during setup.
Send SysLog Newly Discovered File Events - Use this template to send newly discovered file events to your SysLog system. For this to produce any events the Default File Inventory Policy needs to be enabled and resource discovery schedules need to be customized.
Send SysLog Password Disclosure Events - Use this template to send all password disclosure events to your SysLog system.

Data Sources

The following five data sources can be used with the respective templates above:

Application Control Justification Events (7d6bdbf0-8f2a-4e9c-9c7e-fa6b75803c45)
Application Control Policy Feedback (eeb7aaf6-f675-4586-a7e3-3eb54b59ba4d)
Recently Discovered Applications Query (b875d3a6-433c-42cc-8332-05350343e498)
Local Security Password Disclosure Events (13d6cf4d-0132-4401-88ab-80b55301c60c)
Application Control Policy Feedback Restricted to Security Level (4eb4ec69-d7a9-4797-972a-41855d3e7799)

If custom data sources are used, they need to specify the following fields:

externalId
Facility
Severity
EventTime
Host
DeviceVendor
DeviceProduct
DeviceVersion
Name
CEFSeverity

Client Certificate Authentication

In order to prevent unauthorized systems from sending data to a syslog/SEIM system, users can now use client certificate authentication. In the configuration of a syslog system the Certificate field allows you to upload a certificate .pfx file. The option is only relevant if you select TCP + TLS. Once configured Privilege Manager will use this certificate to authenticate all connections when sending syslog events.

A .pfx file must be used since the private key is required.

Select Admin | Foreign Systems.
On the Configuration page, select the Foreign Systems tab. Then, click SysLog.

Click Create. Then, supply a Name and address of the SysLog server. Click Create.

On the New SysLog Server page, select TCP + TLS for protocol.
Click the Upload link.

At the Import items form, click Choose file, browse to the .pfx file and click Upload.

The certificate appears in the Certificte field. A Remove link is available if needed.

Troubleshooting if SysLog Option is Missing under Foreign Systems

If you are a Privilege Manager Cloud customer, contact Delinea support to have it added to your instance.

On-premises customers, navigate to https://[YourOrganizationURL]/TMS/Setup/ProductOptions/SelectProducts and check the Delinea SysLog Connector option. Install the SysLog Connector and accept the License Terms and Conditions.