Page tree
Skip to end of metadata
Go to start of metadata
Security Information and Event Management

SIEM (Security Information and Event Management) is the term used to describe a single security management system.

It provides a comprehensive and centralized overview of the current security situation of an IT infrastructure and thus helps to monitor it. To do this, the SIEM system collects and categorizes machine data from various sources. This data is analyzed and deviating behavior in the IT infrastructure is thus detected. This can be done in real time at any time.

To connect your G DATA security solution to your existing SIEM system, it is necessary to configure your ManagementServer, Telegraf and a plugin.

ManagementServer configuration

Open the MMS configuration file (config.xml).

Scroll to the end.

Edit the Siem group or add it if it does not exist.

  1. Set IsSiemEnabled to true.
  2. Set TelegrafServerPort to the previously used port for the Telegraf inputs.socket_listener input plugin (in this example it was 8099).
  3. Set the output to CEF or ECS.
Example
<group name="Siem">
	<setting name="IsSiemEnabled" type="bool" value="True" />
	<setting name="TelegrafServerPort" type="int" value="8099" />
	<setting name="OutputFormat" type="string" value="CEF" />
</group>

Restart the ManagementServer.

Telegraph configuration

Telegraf is a program for collecting, processing, summarizing and creating metrics.

Telegraf is shipped with the ManagementServer installation.

Open the CMD program and activate Telegraf.

Create a new configuration.

Create configuration
telegraf.exe --input-filter socket_listener --output-filter http --processor-filter none --aggregator-filter none config > telegraf.conf

Open the new created configuration file (telegraf.conf).

Find the line omit_hostname = false and change it to true.

Hostname
omit_hostname = true

Configure the Input Plugin (https://github.com/influxdata/telegraf/tree/master/plugins/inputs/socket_listener).

It should look like this:

Input Plugin Configuration
# Generic socket listener capable of handling multiple socket types.
[[inputs.socket_listener]]
  ## URL to listen on
  # service_address = "tcp://:8094"
  # service_address = "tcp://127.0.0.1:http"
  # service_address = "tcp4://:8094"
  # service_address = "tcp6://:8094"
  # service_address = "tcp6://[2001:db8::1]:8094"
  # service_address = "udp://:8094"
  # service_address = "udp4://:8094"
  # service_address = "udp6://:8094"
  # service_address = "unix:///tmp/telegraf.sock"
  # service_address = "unixgram:///tmp/telegraf.sock"
 
  ## Change the file mode bits on unix sockets.  These permissions may not be
  ## respected by some platforms, to safely restrict write permissions it is best
  ## to place the socket into a directory that has previously been created
  ## with the desired permissions.
  ##   ex: socket_mode = "777"
  # socket_mode = ""
 
  ## Maximum number of concurrent connections.
  ## Only applies to stream sockets (e.g. TCP).
  ## 0 (default) is unlimited.
  # max_connections = 1024
 
  ## Read timeout.
  ## Only applies to stream sockets (e.g. TCP).
  ## 0 (default) is unlimited.
  # read_timeout = "30s"
 
  ## Optional TLS configuration.
  ## Only applies to stream sockets (e.g. TCP).
  # tls_cert = "/etc/telegraf/cert.pem"
  # tls_key  = "/etc/telegraf/key.pem"
  ## Enables client authentication if set.
  # tls_allowed_cacerts = ["/etc/telegraf/clientca.pem"]
 
  ## Maximum socket buffer size (in bytes when no unit specified).
  ## For stream sockets, once the buffer fills up, the sender will start backing up.
  ## For datagram sockets, once the buffer fills up, metrics will start dropping.
  ## Defaults to the OS default.
  # read_buffer_size = "64KiB"
 
  ## Period between keep alive probes.
  ## Only applies to TCP sockets.
  ## 0 disables keep alive probes.
  ## Defaults to the OS configuration.
  # keep_alive_period = "5m"
 
  ## Data format to consume.
  ## Each data format has its own unique set of configuration options, read
  ## more about them here:
  ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
  # data_format = "influx"
 
  ## Content encoding for message payloads, can be set to "gzip" to or
  ## "identity" to apply no encoding.
  # content_encoding = "identity"

Add another line service_adress. If necessary, change the port. 

In the example, Telegraf listens for anything received over the udp protocol on port 8099.

Service Adress
service_address = "udp://:8099"
  • No labels