This guide describes how to integrate beSECURE and Logpoint using the Syslog data exchange method. This method requires you to configure Logpoint to accept incoming Syslog connections from beSECURE, and configure beSECURE to send Syslog information to Logpoint once a scan is complete.
Configuring Logpoint to integrate with beSECURE
To integrate Logpoint with beSECURE, do the following:
- Log in to Logpoint.
Note: If this is the first time you are logging in, the default credentials are admin / changeme. - Select Settings.
- Select Repos.
- Select Add.
- On the ADD REPO dialog, do the following:
- In the Repo Name box, enter beSECURE_Report.
- In the Retention box, select the number of days you want to keep records. It is recommended for this value to be no less than two dates between consecutive scans. For example, if you run weekly scans, set the value to 15, or if you run monthly scans, set the value to 62. By keeping a record of at least two scans, you can perform a comparison and time analysis on the results.
- Select Submit.
- Select Log Collection Policies.
- Select Add.
- On the CREATE LOG COLLECTION POLICY dialog, enter beSECURE_Collection in the Name box.
- Select Save.
- On the CONFIRMATION dialog, select Yes.
- Select Syslog Collector.
- On the SYSLOG COLLECTORdialog, do the following:
- In the Parser box, select SyslogParser.
- In the Processing Policy box, select default.
- In the Charset box, select utf_8.
- Select Submit.
- On the AVAILABLE COLLECTORS FETCHERS dialog, the beSECURE_Collection fetcher will be listed.
- You must create a Normalizing Policy to convert the Syslog line into meaningful and searchable data inside Logpoint. To create a policy, do the following:
- Select Settings > Knowledge Base > Normalization Packages.
- Select Add.
- On the NORMALIZATION PACKAGEdialog, do the following:
- In the Name box, enter beSECURE.
- In the Description box, enter Process incoming beSECURE Syslog entries.
- Select Submit.
- Select Signatures.
- Select Add.
- In the Pattern box, enter the following:
<id:int> <source_ts:datetime_m> beSECURE beSECURE <process_id:int> - - TestID=<TestID:all> VulnerabilityName=<VulnerabilityName:all> RiskNo=<RiskFactorValue:all> RiskText=<RiskFactorName:all> AffectedHost=<AffectedHost:all> AffectedPort=<AffectedPort:all> AffectedProtocol=<AffectedProtocol:all> CVE=<CVE:all> CVSSScore=<CVSSScore:all>
- In the Examplebox, enter the following:
<46>1 2017-11-02T00:06:16+01:00 beSECURE beSECURE 6706 - - TestID=<!-- #TestID# --> VulnerabilityName=<!-- #VulnerabilityName# --> RiskNo=<!-- #RiskFactorValue# --> RiskText=<!--#RiskFactorName# --> AffectedHost=<!-- #AffectedHost# --> AffectedPort=<!-- #AffectedPort# --> AffectedProtocol=<!-- #AffectedProto# --> CVE=<!-- #CVE# --> CVSSScore=<!-- #CVSSScore# -->
- Add a Key Values named norm_id with the value of beSECURE.
- Add another with the name label and the value Vulnerability.
- Test the pattern and verify the response.
- Select Submit.
- Add another pattern with the same norm_id Key Value, but without the label of Vulnerability:
<id:int> <source_ts:datetime_m> beSECURE beSECURE <process_id:int> - - Scan <job_name:all> <state:started|completed>
- Enter this as an example:
<46>1 2017-11-01T17:24:34+01:00 beSECURE beSECURE 23460 - - Scan test completed.
- Select Check Pattern to verify the pattern.
- Select Save.
- Select Submit.
- Select Configuration.
- You must create a Processing Policy to convert the beSECURE data as searchable data in Logpoint. To create a policy, do the following:
- Select Processing Policy.
- Create a new policy and name it beSECURE_Processing.
- In the Normalizing Policy box, select beSECURE.
- In the Enrichment Policy box, select None.
- In the Routing Policy box, select default.
- Select Submit.
- On the Log Collection Policy page, select beSECURE_Collection, and then click on the Sign.
- Select the Syslog section, and then change the Processing Policy to beSECURE_Processing.
- By default, Logpoint does not allow incoming Syslog connections unless the device has been configured. You will need to allow beSECURE to connect to Logpoint. To allow Syslog connections, do the following:
- Select Devices.
- Select Add.
- In the Name box, enter beSECURE.
- Enter the IP address of your beSECURE server.
- In the Device Group box, select Linux.
- In the Log Collection Policy box, select beSECURE_Collection.
- Select Submit.
Configuring beSECURE to integrate with Logpoint
To integrate beSECURE with Logpoint, do the following:
- Log in to beSECURE.
- Select More > Server > Integration.
- Select Logpoint.
- Enter your Logpoint Hostname and Port in the boxes provided.
- In the Send Scan Start box, enter the following:
Scan <!-- #Name# --> started
- In the Send Scan Completed box, enter the following:
Scan <!-- #Name# --> completed
- In the Send Scan Results box, enter the following:
TestID=<!-- #TestID# --> VulnerabilityName=<!-- #VulnerabilityName# --> RiskNo=<!-- #RiskFactorValue# --> RiskText=<!-- #RiskFactorName# --> AffectedHost=<!-- #AffectedHost# --> AffectedPort=<!-- #AffectedPort# --> AffectedProtocol=<!-- #AffectedProto# --> CVE=<!-- #CVE# --> CVSSScore=<!-- #CVSSScore# -->
- Select Save. The Syslog entries will appear in Logpoint as soon as a scan completes. You can use norm_id="beSECURE" to look for them in their normalized way.