From 362c3bee3ed06e2755a3a37e0b25b8f713ce72c3 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Fri, 24 Jan 2020 07:59:20 -0800 Subject: [PATCH] docs/CEF variable detail * Update CEF source doc (and CEF device docs) with note that CEF variables should be set only once for the _entire_ deployment. --- docs/sources/Arcsight/index.md | 8 ++++++++ docs/sources/CommonEventFormat/index.md | 11 ++++++++++- docs/sources/CyberArk/index.md | 8 ++++++++ docs/sources/Imperva/index.md | 4 ++++ 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/sources/Arcsight/index.md b/docs/sources/Arcsight/index.md index 15b6dda..6724e31 100644 --- a/docs/sources/Arcsight/index.md +++ b/docs/sources/Arcsight/index.md @@ -37,6 +37,10 @@ MSG Parse: This filter parses message content | SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | | SC4S_LISTEN_MICROFOCUS_ARCSIGHT_TCP_PORT | empty string | Deprecated equivalent of above variable. This is included for backward compatibility and will be removed in a future version. _Do not use_ in new installations. | +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + ### Verification An active site will generate frequent events use the following search to check for new events @@ -90,6 +94,10 @@ MSG Parse: This filter parses message content | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | | SC4S_WWW_XXX_MICROFOCUS_ARCSIGHT_YYY_ZZZ | no | Deprecated equivalents of the above variables. These are included for backward compatibility, and will be removed in a future version. _Do not use_ in new installations. | +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + ### Verification An active site will generate frequent events use the following search to check for new events diff --git a/docs/sources/CommonEventFormat/index.md b/docs/sources/CommonEventFormat/index.md index d98e78b..b88b329 100644 --- a/docs/sources/CommonEventFormat/index.md +++ b/docs/sources/CommonEventFormat/index.md @@ -6,7 +6,16 @@ Each CEF product should have their own source entry in this documentation set. from normal configuration, all CEF products should use the "CEF" version of the unique port and archive envrionmetn variable settings (rather than a unique one per product), as the CEF log path handles all products sending events to SC4S in the CEF format. Examples of this include Arcsight, -Imperva, and Cyberark. +Imperva, and Cyberark. Therefore, the CEF environment varialbes for unique port, archive, etc. +should be set only _once_. + +If your deployment has multiple CEF devices that send to more than one port, +set the CEF unique port variable(s) to just one of the ports in use. Then, map the others with +container networking to the port chosen. Example: If you have three CEF devices, sending on TCP +ports 2000,2001, and 2002, set `SC4S_LISTEN_CEF_TCP_PORT=2000`. Then, map the other two with +container networking, e.g. `-p 2000:2000 -p 2001:2000 -p 2002:2000`. This will route all +three ports to TCP port 2000 inside the container, and the single CEF log path will properly +process data from all three devices. The source documentation included below is a reference baseline for any product that sends data using the CEF log path. diff --git a/docs/sources/CyberArk/index.md b/docs/sources/CyberArk/index.md index 1a113ea..40aee14 100644 --- a/docs/sources/CyberArk/index.md +++ b/docs/sources/CyberArk/index.md @@ -30,6 +30,10 @@ MSG Parse: This filter parses message content |----------------|----------------|----------------| | SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + ### Verification An active site will generate frequent events use the following search to check for new events @@ -70,6 +74,10 @@ MSG Parse: This filter parses message content |----------------|----------------|----------------| | SC4S_LISTEN_CEF_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using the number defined | +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + ### Verification An active site will generate frequent events use the following search to check for new events diff --git a/docs/sources/Imperva/index.md b/docs/sources/Imperva/index.md index ad0e0e9..1ba0667 100644 --- a/docs/sources/Imperva/index.md +++ b/docs/sources/Imperva/index.md @@ -42,6 +42,10 @@ Note listed for reference processing utilizes the Microsoft ArcSight log path as | SC4S_ARCHIVE_CEF | no | Enable archive to disk for this specific source | | SC4S_DEST_CEF_HEC | no | When Splunk HEC is disabled globally set to yes to enable this specific source | +* NOTE: Set only _one_ set of CEF variables for the entire SC4S deployment, regardless of how +many ports are in use by this CEF source (or any others). See the "Common Event Format" source +documentation for more information. + ### Verification An active site will generate frequent events use the following search to check for new events