Merge pull request #1644 from SEKOIA-IO/varonis_extended_conf

Extend fowarder conf for varonis
SEKOIA-IO · Feb 16, 2024 · d2715ba · d2715ba
2 parents 9ab45c3 + 1d062cf
commit d2715ba
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/docs/xdr/features/collect/integrations/network/varonis_data_security.md b/docs/xdr/features/collect/integrations/network/varonis_data_security.md
@@ -36,3 +36,28 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n
 ### Forward logs to Sekoia.io
 
 Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io.
+
+Currently, the syslog format generated by Varonis does not comply with RFC standards. As a result, the transmitted data is not inherently compatible with the Sekoia forwarder. Therefore, it is necessary to refer to [this documentation](../../../ingestion_methods/sekoiaio_forwarder/#import-a-custom-rsyslog-configuration) in order to extend the default configuration of the forwarder (available since version 2.4) and add this specific configuration for Varonis logs:
+
+```bash
+input(type="im$PROTOCOL" port="$PORT" ruleset="remoteVaronis")
+template(name="SEKOIAIO_Varonis_Template" type="string" string="<%pri%>1 %timegenerated:::date-rfc3339% %hostname% $APP-NAME - LOG [SEKOIA@53288 intake_key=\"$INTAKE-KEY\"] %msg:R,ERE,1,FIELD:.*(CEF.*)$--end%\n")
+ruleset(name="remoteVaronis"){
+action(
+    name="varonis"
+    type="omfwd"
+    protocol="tcp"
+    target="intake.sekoia.io"
+    port="10514"
+    TCP_Framing="octet-counted"
+    StreamDriver="gtls"
+    StreamDriverMode="1"
+    StreamDriverAuthMode="x509/name"
+    StreamDriverPermittedPeers="intake.sekoia.io"
+    Template="SEKOIAIO_Varonis_Template"
+    )
+}
+```
+
+!!! Note
+    Don't forget to replace the variables $PROTOCOL (tcp or udp) to choose the protocol by which Varonis logs are received, the $PORT of entry, your $APP-NAME syslog, and your $INTAKE-KEY Sekoia.