Uploading audit logs to ArcSight SIEM
Create a trail to upload management event audit logs of resources in an individual folder to an Yandex Object Storage bucket with encryption enabled. Then configure continuous log delivery to ArcSight SIEM.
To complete the tutorial successfully, you must have an ArcSight instance installed.
The solution described in the tutorial follows the steps below:
- A trail uploads logs to an Object Storage bucket.
- A bucket is mounted via a FUSE
interface to a folder on an intermediate VM. - SmartConnector
collects logs from the folder and delivers them to ArcSight for analysis.
For more information about the scripts for delivering audit logs to ArcSight, see Yandex Cloud Security Solution Library
Note
Yandex Cloud Security Solution Library
To configure delivery of audit log files to ArcSight:
- Prepare your cloud.
- Prepare the environment.
- Assign roles to the service accounts.
- Create a trail.
- Mount the bucket.
- Connect ArcSight SmartConnector.
If you no longer need the resources you created, delete them.
Getting started
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
Sign up for Yandex Cloud and create a billing account:
- Go to the management console
and log in to Yandex Cloud or create an account if you do not have one yet. - On the Yandex Cloud Billing
page, make sure you have a billing account linked and it has theACTIVE
orTRIAL_ACTIVE
status. If you do not have a billing account, create one.
If you have an active billing account, you can go to the cloud page
Learn more about clouds and folders.
Required paid resources
The infrastructure support cost includes:
- Fee for using VM instances (see Compute Cloud pricing).
- Fee for storing data in a bucket (see Object Storage pricing).
- Fee for operations with data (see Object Storage pricing).
- Fee for using KMS keys (see Key Management Service pricing).
Prepare the environment
Prepare an intermediate VM
You can use a VM that has access to an ArcSight instance or create a new one:
- Create a VM from a Linux image based on Ubuntu 20.04.
- Connect to the VM over SSH.
Create a bucket for audit logs
- In the management console
, select the folder where you want to create a bucket, e.g.,example-folder
. - Select Object Storage.
- Click Create bucket.
- On the bucket creation page:
-
Enter a name for the bucket according to the naming requirements.
-
Limit the maximum bucket size, if required.
If the value is
0
, the maximum size is not limited and is similar to the enabled No limit option. -
Select the
Restricted
access type. -
Select the default storage class.
-
Click Create bucket.
-
Create an encryption key in Key Management Service
- In the management console
, go toexample-folder
. - Select Key Management Service.
- Click Create key and specify:
- Name:
arcsight-kms
. - Encryption algorithm:
AES-256
. - Leave the other parameters at their default settings.
- Name:
- Click Create.
Enable bucket encryption
- In the management console
, go to the bucket created earlier. - In the left-hand panel, select Security.
- Open the Encryption tab.
- In the KMS Key field, select
arcsight-kms
. - Click Save.
Create service accounts
You need to create two accounts: one for a trail and one for a bucket.
Create a service account named sa-arcsight
:
-
In the management console
, go toexample-folder
. -
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account according to the naming requirements:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
For example,
sa-arcsight
. -
Click Create.
Similarly, create a service account named sa-arcsight-bucket
.
Create a static key
You will need the key ID and secret key when mounting the bucket.
-
In the management console
, go toexample-folder
. -
In the list of services, select Identity and Access Management.
-
In the left-hand panel, select
Service accounts. -
Select the
sa-arcsight-bucket
service account from the list that opens. -
Click Create new key in the top panel.
-
Select Create static access key.
-
Enter a description for the key and click Create.
-
Save the ID and secret key.
Alert
After you close the dialog, the key value will become unavailable.
-
Create an access key for the
sa-arcsight-bucket
service account:yc iam access-key create --service-account-name sa-arcsight-bucket
Result:
access_key: id: aje*******k2u service_account_id: aje*******usm created_at: "2022-09-22T14:37:51Z" key_id: 0n8*******0YQ secret: JyT*******zMP1
-
Save the ID (
key_id
) and secret key (secret
). You will not be able to get the key value again.
Assign roles to the service accounts
Assign the audit-trails.viewer
, storage.uploader
, and kms.keys.encrypterDecrypter
roles to the sa-arcsight
service account:
-
audit-trails.viewer
role for the folder:yc resource-manager folder add-access-binding \ --role audit-trails.viewer \ --id <folder_ID> \ --service-account-id <service_account_ID>
Where:
--role
: Role being assigned.--id
:example-folder
ID.--service-account-id
:sa-arcsight
service account ID.
For more information about the
yc resource-manager folder add-access-binding
command, see the CLI reference. -
Assign the
storage.uploader
role for the folder the bucket is in:yc resource-manager folder add-access-binding \ --role storage.uploader \ --id <folder_ID> \ --service-account-id <service_account_ID>
Where:
--role
: Role being assigned.--id
:example-folder
ID.--service-account-id
:sa-arcsight
service account ID.
-
kms.keys.encrypterDecrypter
role for thearcsight-kms
encryption key:yc kms symmetric-key add-access-binding \ --role kms.keys.encrypterDecrypter \ --id <key_ID> \ --service-account-id <service_account_ID>
Where:
--role
: Role being assigned.--id
: ID of thearcsight-kms
KMS key.--service-account-id
:sa-arcsight
service account ID.
Assign the storage.viewer
and kms.keys.encrypterDecrypter
roles to the sa-arcsight-bucket
service account:
-
storage.viewer
role for the folder:yc resource-manager folder add-access-binding \ --id <folder_ID> \ --role storage.viewer \ --service-account-id <service_account_ID>
Where:
--id
:example-folder
ID.--role
: Role being assigned.--service-account-id
:sa-arcsight-bucket
service account ID.
-
kms.keys.encrypterDecrypter
role for thearcsight-kms
encryption key:yc kms symmetric-key add-access-binding \ --role kms.keys.encrypterDecrypter \ --id <key_ID> \ --service-account-id <service_account_ID>
Where:
--role
: Role being assigned.--id
: ID of thearcsight-kms
KMS key.--service-account-id
:sa-arcsight-bucket
service account ID.
Create a trail
-
In the management console
, go toexample-folder
. -
Select Audit Trails.
-
Click Create trail and specify:
- Name: Name of the trail you want to create, e.g.,
arcsight-trail
. - Description: Trail description (optional).
- Name: Name of the trail you want to create, e.g.,
-
Under Destination, configure the destination object:
- Destination:
Object Storage
. - Bucket: Bucket name.
- Object prefix: Optional parameter used in the full name of the audit log file.
Note
Use a prefix to store audit logs and third-party data in the same bucket. Do not use the same prefix for logs and other bucket objects because that may cause logs and third-party objects to overwrite each other.
- Encryption key: Specify the
arcsight-kms
encryption key used to encrypt the bucket.
- Destination:
-
Under Service account, select
sa-arcsight
. -
Under Collecting management events, configure the collection of management event audit logs:
- Collecting events: Select
Enabled
. - Resource: Select
Folder
. - Folder: Automatically populated field containing the name of the current folder.
- Collecting events: Select
-
Under Collecting data events, select
Disabled
in the Collecting events field. -
Click Create.
Warning
The solution will delete the logs from the bucket after they are exported to ArcSight. If you need to keep the logs in the bucket, create a separate bucket and trail.
Mount a bucket
A bucket is mounted on an intermediate VM where ArcSight SmartConnector is installed.
To mount the bucket, create a file with the static access key of the sa-arcsight-bucket
service account.
-
On the intermediate VM, create a file with the static access key:
echo <access_key_ID>:<secret_access_key> > ${HOME}/.passwd-s3fs chmod 600 ${HOME}/.passwd-s3fs
-
Install s3fs
:sudo apt install s3fs
-
Create a directory to mount the bucket to, e.g.,
mybucket
in your home directory:sudo mkdir ${HOME}/mybucket
-
Mount the bucket:
s3fs <bucket_name> ${HOME}/mybucket -o passwd_file=${HOME}/.passwd-s3fs -o url=https://storage.yandexcloud.net -o use_path_request_style
-
Check that the bucket was mounted:
ls ${HOME}/mybucket
Install and configure ArcSight SmartConnector
Note
To complete this stage of the tutorial, you need an ArcSight SmartConnector distribution and access to an ArcSight instance.
-
On the intermediate VM, install
ArcSight SmartConnector
:- When installing it, select ArcSight FlexConnector JSON Folder Follower and specify the path to the
mybucket
folder. - Specify JSON configuration filename prefix:
yc
.
- When installing it, select ArcSight FlexConnector JSON Folder Follower and specify the path to the
-
Download
thearcsight_content
files. -
Copy the
yc.jsonparser.properties
file from theflex
folder to the folder with this address:<agent_installation_folder>/current/user/agent/flexagent
. -
Copy the
map.0.properties
file from theflex
folder to the folder with this address:<agent_installation_folder>/current/user/agent/map
. -
Edit the
<agent_installation_folder>/current/user/agent.properties
file:agents[0].mode=DeleteFile agents[0].proccessfoldersrecursively=true
-
Start the connector and make sure that events are received by ArcSight:
How to delete the resources you created
Some resources are not free of charge. To avoid paying for them, delete the resources you no longer need: