Admin account monitoring

jdland · ‎06-19-2017

Good day,

I am looking for options of exporting the audit log via an API or syslog to a SIEM solution. Currently I have the eStreamer API connected to our SIEM solution, LogRhythm. Within that API, there does not appear to be any options for monitoring account activity. I also have the syslog option configured to forward to LogRhythm. My confusion lies within the "Facility" field within the configuration.

I have been receiving the syslog, but it appears to be a limited amount of logs. I am unable to find any instance of user activity within these logs on my SIEM solution. I am specifically wanting to monitor the admin account.

When I investigate the syslog and the audit log on the SourceFire management console, I am able to find the Admin user activity. Anyone have the same issue?

Thank you

pick25690 · ‎06-21-2017

Hi,

We had a similar issue when we were trying to parse logs into a McAfee SIEM solution. Our main problem was that we didn't want all of the intrusion events coming into the SIEM so we could't use the estreamer for this, we had to use another setting SourceFire NS or something along those lines.

Do you have an option on your SIEM solution to allow it to parse events as generic syslogs so that even if a syslog message doesn't match a rule you would still be able to see it in the SIEM. This is what we have done, it is not a fix but will show you what messages you haven't got parser rules for so you can create them. For example a syslog message may say 'user:admin login success' but ther emay not be a rule in the SIEM that relates to anything in that message so you won't see it. If you turn on generic syslog then you will see this message and can create a rule that would match on 'user:admin' using a regex which would flag all admin activity under one parser.

Apologies, i'm not familiar with your SIEM solution but am assuming that it is similar to McAfee.

Regards,

Dan