Reference Guide
Security Management Server v10.2.7 AdminHelp
115
Integrating with a SIEM/syslog server allows administrators to run customized analytics on threat and
audit data within their environments. The Dell Server supports the export of Advanced Threat
Prevention and Data Guardian events.
To export audit events to a syslog server or to a local file:
1. In the left pane, click Management > Services Management.
2. Select the Events Management tab.
3. Select the appropriate option(s):
Export to Local File allows export of audit events to a file. Enter the location in which to store the file.
This option also provides a backup of the audit events database.
Export to Syslog allows specification of the syslog server to which to export the file. If TCP protocol is
not selected, select it.
4. Click Save Preferences.
Export Audit Events with TLS/SSL over TCP
To use TLS/SSL,the syslog server must be configured to listen for TLS/SSL messages. The root
certificate used for the syslog server configuration must be added to the Dell Server Java keystore.
The following example shows necessary configurations for a Splunk server with default certificates.
Configurations are specific to individual environments. Property values vary when using non-default
certificates.
1. Configure the Splunk server to use the Splunk server certificate and root certificate to listen on
TCP for TLS/SSL messages:
$SPLUNK_HOME\etc\system\local\inputs.conf
[tcp-ssl:<port number>]
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME\etc\auth\server.pem
sslPassword = <password>
requireClientCert = false
$SPLUNK_HOME\etc\system\local\server.conf
[sslConfig]
sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem
sslPassword = <password>
2. Restart the Splunk server.
After the restart, splunkd.log will have entries similar to the following:
07-10-2017 16:27:02.646 -0500 INFO TcpInputConfig - IPv4 port 5540 is reserved for raw input
(SSL)
07-10-2017 16:27:02.646 -0500 INFO TcpInputConfig - IPv4 port 5540 will negotiate new-s2s
protocol