Kaspersky Next XDR Expert
1.1.9

Contents

Configuring receipt of FreeIPA events

You can configure the receipt of FreeIPA events in KUMA via the Syslog protocol.

Configuring event receiving consists of the following steps:

  1. Configuring export of FreeIPA events to KUMA.
  2. Creating a KUMA collector for receiving FreeIPA events.

    To receive FreeIPA events, in the KUMA Collector Setup Wizard, at the Event parsing step, in the Normalizer field, select [OOTB] FreeIPA.

  3. Installing the KUMA collector in the network infrastructure.
  4. Verifying receipt of FreeIPA events by KUMA.

    To verify that the FreeIPA event source server is configured correctly, you can search for related events.

Page top
[Topic 264850]

Configuring export of FreeIPA events to KUMA

To configure the export of FreeIPA events to KUMA via the Syslog protocol in JSON format:

  1. Connect to the FreeIPA server via SSH using an account with administrator rights.
  2. In the /etc/rsyslog.d/ directory, create a file named freeipa-to-siem.conf.
  3. Add the following lines to the /etc/rsyslog.d/freeipa-to-siem.conf configuration file:

    template(name="ls_json" type="list" option.json="on")

    { constant(value="{")

    constant(value="\"@timestamp\":\"") property(name="timegenerated" dateFormat="rfc3339")

    constant(value="\",\"@version\":\"1")

    constant(value="\",\"message\":\"") property(name="msg")

    constant(value="\",\"host\":\"") property(name="fromhost")

    constant(value="\",\"host_ip\":\"") property(name="fromhost-ip")

    constant(value="\",\"logsource\":\"") property(name="fromhost")

    constant(value="\",\"severity_label\":\"") property(name="syslogseverity-text")

    constant(value="\",\"severity\":\"") property(name="syslogseverity")

    constant(value="\",\"facility_label\":\"") property(name="syslogfacility-text")

    constant(value="\",\"facility\":\"") property(name="syslogfacility")

    constant(value="\",\"program\":\"") property(name="programname")

    constant(value="\",\"pid\":\"") property(name="procid")

    constant(value="\",\"syslogtag\":\"") property(name="syslogtag")

    constant(value="\"}\n")

    }

    *.* @<IP address of the KUMA collector>:<port of the KUMA collector KUMA>;ls_json

    You can fill in the last line in accordance with the selected protocol:

    *.* @<192.168.1.10>:<1514>;ls_json for sending events over UDP

    *.* @@<192.168.2.11>:<2514>;ls_json for sending events over TCP

  4. Add the following lines to the /etc/rsyslog.conf configuration file:

    $IncludeConfig /etc/freeipa-to-siem.conf

    $RepeatedMsgReduction off

  5. Save changes to the configuration file.
  6. Restart the rsyslog service by executing the following command:

    sudo systemctl restart rsyslog.service

Page top
[Topic 264852]