To enable Splunk to receive beSECURE vulnerability information the easiest way is to have beSECURE send the vulnerability information via syslog messages whenever a Scan event occurs. beSECURE supports the following Scan events: Start, Complete, Results and Failed. For each of these scan events beSECURE will send a message to Splunk which will then collect it via its Syslog collector.

To configure a Syslog collector follow the following steps:

  1. Connect to your Splunk server

  2. Under Splunk -> Settings -> Data Inputs -> Local Inputs

  1. Select a new TCP collector and configure a Port (the default is 514) and “Only accept connection from” with the IP address of beSECURE (this is recommended):

  1. If this is the first TCP collector you are creating for beSECURE, select a “New” option and type – if you already created a TCP collector before, reuse the beSECURE entry you created:

Source Type: beSECURE

Source Type Category: Network & Security

Source Type Description: beSECURE Vulnerability Information

  1. In the App Context select the type of precedence you want the vulnerability information to take in Splunk’s processing, if you are using Splunk as an archive engine (trackng of vulnerability information over time) rather than an action engine (taking actions whenever a vulnerability is discovered) select: “Search & Reporting”, otherwise select “Monitoring Console” – if you are unsure what to select, start with “Search & Reporting”, it’s the more common option:

  1. In the Indexing option, select “IP”, as in the most commonly used configuration the beSECURE IP address does not have a DNS record:

  1. In the “Index” section create a new index called beSECURE, this is option will allow you to easily search and find your beSECURE vulnerability information, click on the “Create a new Index”, and just type the name beSECURE at the “Index Name” section and click Create:

  1. Select “besecure” index:

  1. Click on the Review button:

  1. Click on the “Submit” button

  2. You have now completed the configuration of Splunk, and you are now ready to configure the beSECURE system

  3. Access in beSECURE the More -> Server -> Integration section:

  1.  Click on the “Syslog Integration” checkbox:

  1. Fill the Hostname with the IP address or DNS entry of the Splunk server, Protocol (TCP), and click on the Checkboxes of “Start”, “Completed” and “Results” – the Failed messages are always sent and cannot be turned off:

  1. If you wish you can have beSECURE send the audit logs via syslog – this will include non-vulnerability information and its related to Creation, Modification, Deletion, Launching of Scans, etc

  2. Congratulations you have configured both Splunk and beSECURE to communicate with each other, once a scan start/completes/etc you will see it in the Splunk interface under the “Search & Reporting” (if you have configured it to be part of the Monitoring, it will show up there):

  1. To locate the vulnerabilities collected use the index filter which will match the previously define index: index=”beSECURE”