How-to


Changelog


Troubleshooting


Privacy policy for enterprise solutions



Page tree
Skip to end of metadata
Go to start of metadata

Security Information and Event Management

SIEM (Security Information and Event Management) is a security management system that manages data from various sources.

It provides a comprehensive and centralized overview of the current security situation of an IT infrastructure. To this end, the SIEM system collects and categorizes machine data from various sources. This data is analyzed and deviating behavior in the IT infrastructure is detected. This can be done in real time at any time.

To connect your G DATA security solution to your existing SIEM system, it is necessary to configure your ManagementServer, Telegraf and your SIEM system.

ManagementServer configuration


First of all, it is necessary to turn on SIEM output at G DATA ManagmentServer. Furthermore, you define here in which format (CEF or ECS) the transfer to your SIEM system should take place. The default format is CEF.

Open the MMS configuration file ("C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\config.xml").

Scroll to the bottom.

Edit the Siem group or add it if it does not exist.

  1. Set IsSiemEnabled to true.
  2. Set TelegrafServerPort to the port 8099.
  3. Set the output format optionally to CEF (or to ECS if needed).
Beispiel
<group name="Siem">
	<setting name="IsSiemEnabled" type="bool" value="True" />
	<setting name="TelegrafServerPort" type="int" value="8099" />
	<setting name="OutputFormat" type="string" value="CEF" />
</group>

Restart the G DATA ManagementServer service.

Incoming configuration of Telegraf version 15.1.x

Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (inbound) to receive security logs from G DATA ManagementServer.

Download the zip archive from this download link: https://share.gdata.de/index.php/s/pi649ToTsq79tsN.

Unzip the zip archive. Replace the existing GData.Business.Server.Siem.dll file in the "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\" directory with the new file from the downloaded zip archive.

Download the Telegraf.conf file prepared for CEF format from the following link:https://share.gdata.de/index.php/s/BrCfZq8dtN2SjqZ.
Extract the zip archive to the "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf" directory.

(warning) These instructions refer to the use of the CEF format. If you have decided to use the ECS format, these instructions must be adapted accordingly.
The Telegraf.conf prepared for ECS can be found under the following directory: "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegrafSplunkEcs.conf".


Incoming configuration of Telegraf as of version 15.2.x

Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (inbound) to receive security logs from G DATA ManagementServer.

For CEF output, the ready configured file is already located in the directory "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf".

If you have decided to use the ECS format, these instructions must be adapted accordingly.
The Telegraf.conf prepared for ECS can be found under the following directory: "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegrafSplunkEcs.conf".

Outgoing configuration of Telegraf (Output)

Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (outbound) to output security logs to your SIEM server.

Please select the required output format using the buttons below.


Create Telegraf service

After the telegraf.conf is configured in and out, a new service must be created.

Change to the Telegraf directory: cd C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf

Remove the default Telegraf service: telegraf.exe --service uninstall --service-name TelegrafGdmms --service-display-name "Telegraf (Gdmms)

Create a new telegraf service using the customized "telegraf.conf":

telegraf.exe --service install --service-name telegraf-gdmms --service-display-name "Telegraf (Gdmms)" --config "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegraf.conf"

Restart the "G DATA ManagementServer" and the "Telegraf (Gdmms)" service once.


  • No labels