Configuring Security Event Forwarding from Aria Operations for Logs to Splunk
search cancel

Configuring Security Event Forwarding from Aria Operations for Logs to Splunk

book

Article ID: 324379

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

When configuring a log forwarding from Aria Operations for logs to Splunk, it is recommended to apply filters based on specific event types to reduce the volume of logs forwarded and ensure only relevant security events are sent to Splunk ES.

This article provides guidance on commonly filtered event types used for security auditing purposes, such as user logins, authentication failures, system reboots, configuration changes, and other security-related activities.

Environment

Aria Operations for Logs  8.18.x

Resolution

For sending security related events to a SIEM solution like SPLUNK use text filters in addition to the appname filter.

Use the "Text" and "Matches" filters within your Log Forwarding destination configuration.

It is important to note that the log forwarding engine requires explicit wildcards to match strings correctly.

Please follow these steps to configure your filters:

  1. Navigate to Log Management > Log Forwarding in the Aria Operations for Logs UI.
  2. Edit your existing Splunk destination or create a new one.
  3. Add a filter using Text and Matches.
  4. Enter your security keywords surrounded by wildcards (e.g., *password*). You can add multiple keywords by pressing Enter after each one.

This list will cover all the security specific logs but must be entered manually:

*password was changed*
*logged out*
*cannot login*
*logged in*
*rejected password for user*
*Permission rule removed*
*DCUI has been enabled*
*Firewall configuration has changed*
*Permission created*