SIEM Log Reporting

2 votes

Published a year ago

We are using Devolutions Business Hub and Gateways in order to lock down the access to our network devices and servers. We gather logs from all of our devices in our SIEM (Rapid 7 specifically), but would like to be able to correlate the awesome logs that are already captured in Business Hub.

The connection should allow for a webhook that passes either Plain Text logs or JSON data.

{
  "type": "AuditLogEntry",
  "size": 2,
  "resources": [
     { "log": "event 1" },
     { "log": "event 2" }
  ]
}

All Comments (5)

Maxime Morin

Published a year ago

Hello,

Have you tried to use our PowerShell module to extract logs on a regular basis?

Get-HubSiemLogsDaily
Get-HubSiemLogsWeekly
Get-HubSiemLogsMonthly

These should return the logs to be appended to your SIEM of choice.

Have a good day!

Maxime Morin

ebrookman

Published a year ago

This would be more of a pull configuration. I was specifically hoping for a push configuration that could be near real-time or on a time based schedule more frequent than daily.

I will take a look at the powershell as a starting point, thank you for the recommendation.

Maxime Morin

Published a year ago

Hello,

If we were to create a self-hosted service or re-use the reporting service for SIEM pushing. Would this be something that you would be interested in? It wouldn't be "live", but maybe pushed every 5 mins or so.

Have a good day!

Maxime Morin

ebrookman

Published a year ago

That would be perfect actually.

I also ran into an issue with the PowerShell module getting the logs. I get a prohibited error.

Maxime Morin

Published a year ago

Hello,

Did you create an application identity and assigned the "View administration logs and user activity" to the app identity?

Have a good day!

Maxime Morin

a3157f48-927c-4f7e-a3ad-e589b2d77d1a.png