beSECURE can send vulnerability information to Splunk by way of Syslog messages and the Syslog Collector anytime a scan event occurs (Start, Complete, Results, or Failed).

Configuring the Syslog Collector in Splunk

To configure a Syslog collector in Splunk, do the followings:

  1. Connect to your Splunk server.
  2. Select Splunk > Settings > Data Inputs > Local Inputs.
  3. Select TCP.
  4. In the Port box, enter a port.
  5. In the Only accept connection from box, enter the IP address of the beSECURE server.
  6. If this is a new TCP collector for beSECURE, select New (if you already have a TCP collector for beSECURE, reuse it instead), and then do the following:
    1. In the Source box, enter beSECURE.
    2. In the Source Type Category box, select Network & Security.
    3. In the Source Type Description box, enter beSECURE Vulnerability Information.
  7. For App Context, select the type of precedence you want the vulnerability information to receive in Splunk’s processing. If you are using Splunk as an archive engine (that is, tracking vulnerability over time) rather than an action engine (that is, taking actions whenever a vulnerability is discovered), select Search & Reporting. Otherwise, select Monitoring Console. If you are unsure of what to select, it is recommended to start with Search & Reporting as it more commonly used.
  8. For Host Method, select IP (the beSECURE IP address does not contain a DNS record).
  9. In the Index section, create a new beSECURE index. This will allow you to easily search and find your beSECURE vulnerability information. Select Create a new Index, and then in the Index Name box, enter beSECURE.
  10. Select Create.
  11. In the Index list box, select beSECURE.
  12. Select Review.
  13. Select Submit.

Configuring beSECURE to send Syslog messages to Splunk

To enable Syslog Integration and send Syslog messages to Splunk, do the following:

  1. Log in to beSECURE.
  2. Select More > Server > Integration.
  3. Select Syslog Integration.
  4. On the Syslog Integration page, do the following:
    1. In the Hostname box, enter IP address or DNS entry of the Splunk server.
    2. In the Protocol box, select TCP.
    3. Select the Send Scan Start, Send Scan Completed, and Send Scan Results checkboxes.
    4. To send audit logs (non-vulnerability information and its relationship to Creation, Modification, Deletion, Launching of Scans, etc.) by way of Syslog messages, select the Audit Log checkbox.
  5. Select Modify.

Congratulations! Splunk and beSECURE are now integrated. Once a scan starts/completes, etc., you will see it in Splunk under Search & Reporting (if you have Monitoring configured, it will appear there).

To locate vulnerabilities collected, use the Index filter which will match the previously defined index: index=beSECURE.