G DATA Business Solutions: Security Information and Event Management
SIEM (Security Information and Event Management) is a security management system that manages data from various sources.
It provides a comprehensive and centralized overview of the current security situation of an IT infrastructure. To this end, the SIEM system collects and categorizes machine data from various sources. This data is analyzed and deviating behavior in the IT infrastructure is detected. This can be done in real time at any time.
To connect your G DATA security solution to your existing SIEM system, it is necessary to configure your ManagementServer, Telegraf and your SIEM system.
G DATA Management Server configuration
First of all, it is necessary to turn on SIEM output at G DATA Management Server. Furthermore, you define here in which format (CEF or ECS) the transfer to your SIEM system should take place. The default format is CEF.
Carry out the following steps:
1. |
Open the MMS configuration file C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\config.xml |
2. |
Scroll to the bottom. |
3. |
Edit the Siem group or add it if it does not exist.
Example
|
4. |
Restart the G DATA Management Server service. |
Incoming configuration of Telegraf as of version 15.2.x
Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (inbound) to receive security logs from G DATA Management Server.
For CEF output, the ready configured file is already located in the directory C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf
If you have decided to use the ECS format, these instructions must be adapted accordingly. The Telegraf.conf prepared for ECS can be found under the following directory: C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegrafSplunkEcs.conf |
Incoming configuration of Telegraf version 15.1.x
Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (inbound) to receive security logs from G DATA Management Server.
1. |
Download the zip archive from this download link: Unzip the zip archive. Replace the existing GData.Business.Server.Siem.dll file in the directory C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\ with the new file from the downloaded zip archive. |
||
2. |
Download the Telegraf.conf file prepared for CEF format from the following link: https://share.gdata.de/index.php/s/BrCfZq8dtN2SjqZ. Extract the zip archive to the directory C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf
|
Outgoing configuration of Telegraf (Output)
Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (outbound) to output security logs to your SIEM server.
Please select the required output format using the links below.
Create Telegraf service
After the telegraf.conf is configured in and out, a new service must be created.
You can use the Powershell to display the active Telegraf service. To do this, open the Windows Powershell and enter the following command: get-Service -Name telegraf-gdmms If the service exists, you get output with the service name, display name, and status. |
-
Change to the Telegraf directory:
cd C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf
-
Remove the default Telegraf service:
telegraf.exe --service uninstall --service-name telegraf-gdmms --service-display-name "Telegraf (Gdmms)
-
Create a new telegraf service using the customized telegraf.conf:
telegraf.exe --service install --service-name telegraf-gdmms --service-display-name "Telegraf (Gdmms)" --config "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegraf.conf"
-
Restart the G DATA Management Server and the Telegraf (Gdmms) service once.