Sending Logs to SIEM in CEF Format
In addition to the Disarmer logs that are configured in logs.xml
To enable SIEM logging, you must configure it in the report.xml file. The required configuration attributes are:
|n||Log message format: Must be CEF (default).|
|n||Address: IP or hostname address for the Syslog server (default value = empty).|
|n||Port: Syslog server port. Default port is 514.|
An optional configuration attribute is:
|n||AppName: Scanner (default). The malware scanner sends antivirus update messages to SIEM.|
nThe IsActivated parameter under SiemSettings must be set to "true" in order for logs to be published.
nFor changes in the report.xml file to take effect, you must restart the Votiro.Sanitization.API and Votiro.SNMC Windows services.
nFor antivirus messages to be sent to SIEM, you must restart the Votiro Scanner service.
For more information see SIEM Report Settings on page 1
Here is an example of an SIEM message in the Disarmer system:
CEF:0|VOTIRO|SDS|184.108.40.2069|20020100|Votiro Service Started|5| rt=Sep 19 2017 05:57:38 dtz=03:00:00 dvchost=VOTIROSDSWS msg=Votiro service started.
CEF Message Format
The CEF message format is as follows:
CEF:Version | Device Vendor | Device Product | Device Version |
Signature ID |Name |Severity | Date and host name extension
|n||Version. Always 0.|
|n||Device Vendor: Always VOTIRO.|
|n||Device Product: Always SDS.|
|n||Device Version: The version of Disarmer.|
|n||Signature ID: Event ID. Made up of Family Id and Id, where:|
|t||Family Id can be one of:|
|||100, in the case of a Trace event.|
|||200, in the case of a System event.|
|||500, in the case of an Indicator event.|
|||600, in the case of an Internal Trace event.|
|t||Id is a five-numeral string.|
|n||Name: Event Name indicates the type of event. See Report Events.|
|n||Severity: Indicates the urgency of the event.|
Very fine-grained informational events that are most useful to debug an application.
Fine-grained informational events that are most useful to debug an application.
Informational messages that highlight the progress of the application at coarse-grained level.
This is the default level.
Informational messages that highlight the progress of the application at the highest level.
Potentially harmful situations.
Error events that might still allow the application to continue running.
Very severe error events that will presumably lead the application to abort.
|n||Date and host name extension. The rest of the extension follows these three values.|
|t||Date. Timestamp of event occurrence in the system. The extension always begins with three values:|
|||rt = receipt time = time the message was first reported|
|||dtz = device time zone = abbreviated. See: Time Zone Abbreviations.|
|||dvchost is the host name, for example, John-PC|
|t||Host name. The name of the Disarmer server in which it occurred.|
|t||Extension. The last value is always msg, which stands for “message” and is the human readable message of the event description. See Report Events.|