Data LakeData Lake Administration Guide

Table of Contents

Forwarding to Other Destinations

Syslog Forwarding Management in Exabeam Data Lake

Note

SaaS Cloud deployments only support TCP 515 with TLS.

SaaS Cloud deployments support Syslog forwarding but must be configured by an Exabeam technical representative. Please gather the relevant sources and destinations and then contact your Exabeam technical representative to enable Syslog forwarding.

Data Lake can be configured to send all, or a subset of, ingested logs to Advanced Analytics or other destinations via Syslog. This capability allows you to send your logs to an Advanced Analytics instance and/or third-party destination.

If you also have deployed an instance of Advanced Analytics, we strongly recommend using this functionality, as logs ingested by Data Lake can be consumed immediately by Advanced Analytics for threat detection.

Follow the instructions in Syslog Forwarding to Advanced Analytics to forward logs ingested from Data Lake to Advanced Analytics.Or, follow the instructions in Syslog Forwarding to External Destinations to forward all logs ingested from Data Lake to external destinations.

Then follow the instructions in Selective Forwarding via Conditions.

Syslog Forwarding Destinations

Syslog Forwarding Menu
Figure 7. Syslog Forwarding Menu


The Syslog Forwarding menu provides details and settings for Data Lake log forwarding recipients. The Destinations section lets you add a new syslog destination (either internal or external destinations) and access a list of your configured syslog destinations.

Syslog Destinations.png

Hover over any syslog destination to enable additional actions, such as:

  • Reconnect – If the destination is disconnected, attempt to manually reconnect the destination.

Note

If the configured destination is Exabeam Advanced Analytics, then forwarding automatically reconnects when Advanced Analytics service returns.

  • Disable – Disable syslog forwarding to the destination.

  • Edit – Edit the destination (name, hostname or IP, port, and protocol).

  • Delete – Remove the destination and all associated conditions.

Destination Actions.png

The Conditions section lets you add a new log filters (or "conditions") and access a list of your configured filters.

Conditions LIst.png

Hover over any condition to enable additional actions, such as:

  • Disable – Disable condition.

  • Edit – Edit the condition (log type and filter expression).

  • Delete – Remove the condition.

Filter Actions.png

Configure Log Forwarding Rate

The log forwarding volume from source to destination must balanced such that the destination is not overwhelmed by too many logs pushed to it while the source is not throttled too much that there is a backlog of un-ingested logs. By default, Exabeam Data Lake does not enforce a log forwarding cap. Defining a throughput rate is optional and allows you to fine tune the data flow to suit your organization’s needs. You can adjust the flow at any given time as log volumes and deployments change.

When defining the log forwarding limit, consider:

  • The limit must be from 3000 to 55000 events per second (EPS) per destination

  • A different EPS limit can be set for each syslog forwarding destination (maximum 6 forwarding destinations per Data Lake cluster)

  • Data Lake will hold temporary logs that have not been transmitted for 2 – 2.5 days in Kafka (depending on capacity) before purging logs that have been forwarded

  • Define the limit with a reasonable upper cap as messages over the limit will be processed with delay

  • TCP log forwarding is strongly recommended rather than UDP

  • Where Exabeam Advanced Analytics is the destination of forwarded logs, the maximum forwarding rate is 11,000 EPS per active Log Ingestion and Messaging Engine (LIME) instance in Advanced Analytics

To adjust the log forwarding limit for a log destination:

  1. Navigate to Settings > Log Forwarding > Log Destinations.

  2. In the Syslog Forwarding menu, select the log destination to edit.

    If there is no log destination configured, select Add a Destination create a recipient. For more information, see Syslog Forwarding Management in Exabeam Data Lake).

  3. Click Enable Rate Limit and then enter a log throughput rate between 3,000 to 55,000 events per second. Log messages over the limit will be processed with delay.

    DL-LogForwardingRateLimit-DLi36.png
  4. Click Save or Add to apply the configuration. No service restarts are necessary.

How to Forward Syslog to Exabeam Advanced Analytics from Exabeam Data Lake

This process will configure your Data Lake product to forward ingested logs to your Advanced Analytics product via syslog. A best practice is to forward only necessary logs to Advanced Analytics.

Required:

Before you begin, please ensure you have the following:

  • Permissions to adjust log ingestion settings in Advanced Analytics

  • Permissions to adjust log forwarding settings in Data Lake (see Configure Log Forwarding Rate )

  1. Enable Syslog Ingestion in Advanced Analytics.

    1. Log in to the Advanced Analytics product, and then navigate to Admin Settings > Log Management > Log Ingestion Settings.

      AA Admin Settings.png
    2. Toggle the Enable Syslog Ingestion setting to ON.

      Enable_Syslog_Ingestion.png
    3. If you previously added Data Lake as a server, then delete it. Otherwise, skip to step 1d.

      Delete Data Lake Ingestion.png
    4. Click Next.

      Syslog Next.png
  2. Configure Advanced Analytics as your syslog destination.

    1. Log in to the Data Lake product, and then navigate to Settings > Log Forwarding > Log Destinations.

      Log Destinations.png
    2. Click Add in the Destinations box.

      Add Syslog Destination.png
    3. Enter a Name, Hostname or IP, and Port, and then select a Protocol.

      Syslog Destination Details.png
    4. Click Add.

      Syslog Destination Add.png
    5. Optionally, configure any forwarding Conditions.

      Add Condition.png
  3. Verify that the Advanced Analytics instance is receiving logs by running the following:

    sudo tcpdump -i eno1 'port Syslog_port'

How to Forward Syslog from Exabeam Data Lake to Non-Exabeam External Destinations

This process will configure your Data Lake product to forward ingested logs to external non-Exabeam destinations via syslog.

Required:

  • An external destination configured to ingest syslog data

  • Permissions to adjust log forwarding settings in Data Lake (see Configure Log Forwarding Rate )

  1. Log in to the Data Lake product, and then navigate to Settings > Log Forwarding > Log Destinations.

    Log Destinations.png
  2. Click Add in the Destinations box.

    Add Syslog Destination.png
  3. Enter a Name, Hostname or IP, and Port, and then select a Protocol.

    Syslog Destination Details.png
  4. Click ADD.

    Syslog Destination Add.png
  5. Optionally, configure any forwarding Conditions.

    Add Condition.png

Verify that the external destination is receiving logs.

Exabeam Data Lake Selective Forwarding using Conditions

Conditions let you filter and then forward the logs that are ingested into Data Lake to your Syslog destination via Syslog for threat detection.

Conditions are based on log types. When you create a filter, select the type of log that you wish to forward from a predefined menu.

To add a new condition:

  1. Log in to the Data Lake product, and then navigate to Settings > Log Forwarding > Log Destinations.

  2. Log Destinations.png
  3. Select an existing destination, or click ADD to create a new destination (either Advanced Analytics or external).

    Syslog Destinations preDLi25.jpg
  4. Click Add Condition.

    Add Condition.png
  5. Select the log type that you want to forward. The default filter condition is automatically entered into the Filter Expression box .

    Add Condition Box.png
  6. Optionally, edit the filter condition according to your business needs. See Editing Condition Filters.

  7. Click Add.

    Add Condition Box - Add.png
  8. The condition will appear in the condition list and is automatically enabled.

Editing Condition Filters

In condition filters, string matching is applied to raw log text. There is no distinction between field names and content.

Consider the following when creating condition filters:

  • Regular expressions are not supported

  • Text strings in condition filters need to be braced with double-quotes

  • The or operator will be used when combining multiple conditions in the filter

  • Destinations will need an escape character (\) before the address to be applied in filtering

  • Parenthesis is not supported

  • The and Boolean takes precedence over or in the logic order

Here are some example:

"s1"

event must contain s1

"s1" and "s2"

event must contain both s1 and s2

"s1" and "s2" or "s3"

event must contain both s1 and s2, or contains s3

"s1" or "s2" and "s3"

event must contain s1 or both s2 and s3

"s1" and "\"s2\""

event must contain both s1 and "s2"

How to Configure Exabeam Data Lake Log Destinations for Correlation Rule Outcomes

In addition to syslog forwarding to multiple recipients, you can filter the content further using correlation rules.

To incorporate correlation rules with log forwarding:

  1. Create a Destination Record.

    1. Navigate to Settings > Log Forwarding > Log Destinations and then click Add.

      DL-Settings-LogForwarding-LogDestination-Add.jpg
    2. Fill in the destination fields and then select Receive Correlation Rules Outcome.

      DL-Settings-LogForwarding-AddDestination.jpg
    3. Click ADD. Your new record should appear in the Syslog Forwarding list of destinations.

  2. Direct the outcome of a correlation rule to your destination. The following is an example of creating new a correlation rule.

    1. Navigate to Settings > Correlation Rules > Correlation Rules, and then click CREATE.

      DL-CorrelationRules-Create.jpg
    2. Select the correlation rule type that will activate log forwarding to your destination.

      DL-CorrelationRules-Create-SelectRuleType.jpg
    3. At the Determine Rule Outcomes step, enable ADD RISK TO ENTITIES. Click User and/or Assets as the entity timeline to append data to, if your destination is an Advanced Analytics platform.

      DL-CorrelationRules-withLogForwarding.jpg
    4. Click NEXT to the Save Rule step to complete the correlation rule creation.

How to Forward Exabeam Data Lake Incident to Exabeam Incident Responder

Hardware and Virtual Deployments Only

If you have Exabeam Incident Responder in your environment, you can produce incidents directly into it using triggers generated by correlation rules.

Warning

It is required that your Incident Responder host has parsers to receive payloads from Data Lake. Otherwise, Data Lake forwarded items will not produce incidents.

Note

Ensure routing and access is enabled to and from port 9875 for data transport at the Data Lake and Incident Responder hosts.

To Setup Incident Forwarding, you must establish an Incident Responder destination:

  1. Navigate to Settings > Index Management > Advanced Settings.

    Dl-Settings-IndexMgmt-Advanced.jpg
  2. Click the Edit icon to change the status of incidentResponderAlerts. A status of “false” indicates that incident forwarding is disabled.

    DL-Settings-Edit-IncidentResponderAlerts.jpg
  3. Click the Enable checkbox and then the Save icon to enable forwarding to Exabeam Incident Responder.

    DL-IndexMgmt-Advanced-IncidentResponderAlerts-Enable.jpg
  4. Edit the ir.outcome setting in /opt/exabeam/config/lms/server/default/application.conf at the Data Lake master host with the Incident Responder host and port information.

    ir.outcome {
       enabled = true
       syslogservers = [
         {
           host = "<hostname>"
           port =9875 
         }
       ]
     }
    
  5. Restart Data Lake to apply incident forwarding changes.

    lms-server-stop; sleep 5; lms-server-start
  6. In the Data Lake UI, create a rule to utilize the incident forwarding:

    1. Navigate to Settings > Correlation Rules.

    2. Click Create to build a new rule or select an existing rule to edit.

    3. During rule creation in the Rule Outcomes menu, click CREATE AN INCIDENT and fill in the incident descriptors based on your organization's security policies.

      DL-CorrelationRules-RuleOutcomes-toIR.jpg
    4. Proceed with the remainder of rule creation process.