Skip to content

Commit

Permalink
docs/CEF variable detail
Browse files Browse the repository at this point in the history 
* Update CEF source doc (and CEF device docs) with note that CEF variables should be set only once for the _entire_  deployment.
  • Loading branch information
Mark Bonsack committed Jan 24, 2020
1 parent 71a8862 commit 362c3be
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 1 deletion.
8 changes: 8 additions & 0 deletions docs/sources/Arcsight/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ MSG Parse: This filter parses message content
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |
| SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Deprecated equivalent of above variable. This is included for backward compatibility and will be removed in a future version. _Do not use_ in new installations. |

* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the "Common Event Format" source
documentation for more information.

### Verification

An active site will generate frequent events use the following search to check for new events
Expand Down Expand Up @@ -90,6 +94,10 @@ MSG Parse: This filter parses message content
| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |
| SC4S_WWW_XXX_MICROFOCUS_ARCSIGHT_YYY_ZZZ | no | Deprecated equivalents of the above variables. These are included for backward compatibility, and will be removed in a future version. _Do not use_ in new installations. |

* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the "Common Event Format" source
documentation for more information.

### Verification

An active site will generate frequent events use the following search to check for new events
Expand Down
11 changes: 10 additions & 1 deletion docs/sources/CommonEventFormat/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,16 @@ Each CEF product should have their own source entry in this documentation set.
from normal configuration, all CEF products should use the "CEF" version of the unique port and
archive envrionmetn variable settings (rather than a unique one per product), as the CEF log path
handles all products sending events to SC4S in the CEF format. Examples of this include Arcsight,
Imperva, and Cyberark.
Imperva, and Cyberark. Therefore, the CEF environment varialbes for unique port, archive, etc.
should be set only _once_.

If your deployment has multiple CEF devices that send to more than one port,
set the CEF unique port variable(s) to just one of the ports in use. Then, map the others with
container networking to the port chosen. Example: If you have three CEF devices, sending on TCP
ports 2000,2001, and 2002, set `SC4S_LISTEN_CEF_TCP_PORT=2000`. Then, map the other two with
container networking, e.g. `-p 2000:2000 -p 2001:2000 -p 2002:2000`. This will route all
three ports to TCP port 2000 inside the container, and the single CEF log path will properly
process data from all three devices.

The source documentation included below is a reference baseline for any product that sends data
using the CEF log path.
Expand Down
8 changes: 8 additions & 0 deletions docs/sources/CyberArk/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ MSG Parse: This filter parses message content
|----------------|----------------|----------------|
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |

* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the "Common Event Format" source
documentation for more information.

### Verification

An active site will generate frequent events use the following search to check for new events
Expand Down Expand Up @@ -70,6 +74,10 @@ MSG Parse: This filter parses message content
|----------------|----------------|----------------|
| SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined |

* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the "Common Event Format" source
documentation for more information.

### Verification

An active site will generate frequent events use the following search to check for new events
Expand Down
4 changes: 4 additions & 0 deletions docs/sources/Imperva/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as
| SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source |
| SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source |

* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how
many ports are in use by this CEF source (or any others). See the "Common Event Format" source
documentation for more information.

### Verification

An active site will generate frequent events use the following search to check for new events
Expand Down

0 comments on commit 362c3be

Please sign in to comment.