From 1d062cf5f80ce4bbe9846d8bd5b60ae4de220ab8 Mon Sep 17 00:00:00 2001
From: Pierre Penhouet <pierre.penhouet@sekoia.io>
Date: Fri, 16 Feb 2024 10:46:39 +0100
Subject: [PATCH] Extend fowarder conf for varonis

---
 .../network/varonis_data_security.md          | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/docs/xdr/features/collect/integrations/network/varonis_data_security.md b/docs/xdr/features/collect/integrations/network/varonis_data_security.md
index 33a8c2eed9..e40c375c22 100644
--- a/docs/xdr/features/collect/integrations/network/varonis_data_security.md
+++ b/docs/xdr/features/collect/integrations/network/varonis_data_security.md
@@ -36,3 +36,28 @@ Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a n
 ### Forward logs to Sekoia.io
 
 Please consult the [Syslog Forwarding](../../../ingestion_methods/sekoiaio_forwarder/) documentation to forward these logs to Sekoia.io.
+
+Currently, the syslog format generated by Varonis does not comply with RFC standards. As a result, the transmitted data is not inherently compatible with the Sekoia forwarder. Therefore, it is necessary to refer to [this documentation](../../../ingestion_methods/sekoiaio_forwarder/#import-a-custom-rsyslog-configuration) in order to extend the default configuration of the forwarder (available since version 2.4) and add this specific configuration for Varonis logs:
+
+```bash
+input(type="im$PROTOCOL" port="$PORT" ruleset="remoteVaronis")
+template(name="SEKOIAIO_Varonis_Template" type="string" string="<%pri%>1 %timegenerated:::date-rfc3339% %hostname% $APP-NAME - LOG [SEKOIA@53288 intake_key=\"$INTAKE-KEY\"] %msg:R,ERE,1,FIELD:.*(CEF.*)$--end%\n")
+ruleset(name="remoteVaronis"){
+action(
+    name="varonis"
+    type="omfwd"
+    protocol="tcp"
+    target="intake.sekoia.io"
+    port="10514"
+    TCP_Framing="octet-counted"
+    StreamDriver="gtls"
+    StreamDriverMode="1"
+    StreamDriverAuthMode="x509/name"
+    StreamDriverPermittedPeers="intake.sekoia.io"
+    Template="SEKOIAIO_Varonis_Template"
+    )
+}
+```
+
+!!! Note
+    Don't forget to replace the variables $PROTOCOL (tcp or udp) to choose the protocol by which Varonis logs are received, the $PORT of entry, your $APP-NAME syslog, and your $INTAKE-KEY Sekoia.
\ No newline at end of file