Syslog forwarded events do not included Tomcat log events.
search cancel

Syslog forwarded events do not included Tomcat log events.

book

Article ID: 251867

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

The log events being forwarding up to the Syslog SIEM (Security information and event management) solution do not show events seen in the DLP Tomcat localhost logs, events such as user login failures. 

Cause

As per the definition in the product documentation the Enforce will only send the system events as defined on the list here: System event codes and messages

Any event which is not on the list of system events will not be sent to the SIEM solution and that includes several Auditlog-type actions, such as user login, modification done on Enforce etc. These actions do not have corresponding system events and that's why no notification about these actions are sent.

Resolution

Query the Auditlog information stored in DLP directly in the database, the AUDITLOG table is part of the DLP DB protect schema.
To store the Auditlog information in the SIEM server, you would need to periodically (i.e. daily) dump the output of the table into a .txt file and send the file to the SIEM server. This would have to be done outside of DLP.
 

Below are a couple of example SQL queries which can be run as the DLP DB schema owner (default: protect) and which will provide specific Auditlog information.

The queries can be modified depending on the specific need and on the AUDITLOG table schema:

1) A query which displays all actions performed by the Administrator user on Enforce in October 2022, sorted by date, descending:

SELECT * FROM AUDITLOG WHERE TIME LIKE '%OCT-22%' AND USERNAME LIKE '%Administrator%' ORDER BY TIME DESC;

2) A query which displays all user logins performed on Enforce in October, both successful and failed, sorted by date, descending:

SELECT * FROM AUDITLOG WHERE TIME LIKE '%OCT-22%' AND ENTITY LIKE '%Login%' ORDER BY TIME DESC;

You could use the above two query examples as starting points to design queries which can provide you with the Auditlog information you need to send to SIEM server. 

We would strongly recommend looking at the existing data in the AUDITLOG table to better understand what actions history is saved there, and what details are stored.

Additional Information

Powered by Wolken Software