Reference Guide
Navigate the Dell Server
114
07-10-2017 16:27:02.653 -0500 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 5540
with SSL
07-10-2017 16:27:02.653 -0500 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 5541
with Non-SSL
07-10-2017 16:27:02.654 -0500 INFO TcpInputProc - Creating fwd data Acceptor for IPv4 port
9997 with Non-SSL
3. Configure the Dell Server to communicate with the Splunk server and export audit events.
Use the keytool command to add the Splunk server's root certificate (cacert.pem) to the Dell
Server operating system Java keystore. The certificate is added to the operating system Java
keystore and not to the Dell Server application Java keystore.
keytool -keystore <keystore_location> -alias <alias-name> -importcert -file
<certificate_file>
Add the Splunk server's root certificate (cacert.pem) to /etc/ssl/certs/java/cacerts and restart
the Security Management Server Virtual.
4. Modify the Dell Server database to change the SSL value from false to true:
In the database, navigate to the information table, SIEM-specific support configuration.
Change the "SSL":"false" value to "SSL":"true" – for example:
{"eventsExport":{"exportToLocalFile":{"enabled":"false","fileLocation":"./logs/siem/audit-
export.log"},"exportToSyslog":{"enabled":"true","protocol":"TCP","SSL":"true","host":"yourDellSe
rver.yourdomain.com","port":"5540"}}}
Advanced Threat Prevention Syslog Event Types
Following are event types that are supported with the Syslog/SIEM Advanced Threats option
.
Application Control
This option is visible when the Application Control feature is enabled. Application Control events represent
actions occurring when the device is in Application Control mode. Selecting this option sends a message to the
Syslog server whenever an attempt is made to modify or copy an executable file, or when an attempt is made
to execute a file from an external device or network location.
Example Message for Deny PE File Change:
Example Message for Deny Execution from External Drive:
Devices