Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Imperva SecureSphere V11.0 to Send Database Audit Records to JSA

 

To send database audit records from Imperva SecureSphere V11.0 to JSA, create a custom action set, add an action interface, and then configure an audit policy.

  1. Create a custom action set:
    1. Log in to your Imperva SecureSphere system.

    2. In the Main workspace, select Policies >Action Sets.

    3. In the Action Sets pane, click the green plus sign icon.

    4. In the Action Set text box, type a name for the action set. For example, JSA.

    5. From the Apply to event type list, select Audit.

    6. Click Create.

  2. Add the action interface that you want to be part of the action set to the Selected Actions pane:
    1. Click the green up arrow icon, and then select Gateway System Log >log audit event to System Log (Gateway System Log).

    2. Configure the following action interface parameters:

      Parameter

      Value

      Name

      Type the name that you created for the action set. For example, JSA.

      Protocol

      Select UDP.

      Host

      Type the IP address or the host name of the JSA appliance for which you want to send events.

      Port

      514

      Syslog Log Level

      Info

      Facility

      syslog

      Message

      Note: The line breaks in the code example might cause this configuration to fail. For each alert, copy the code block below into a text editor, remove the line breaks, and paste as a single line in the Message field.

      LEEF:1.0|Imperva|Secure Sphere|${SecureSphereVersion}| ${Alert.alertType}${Alert.immediate Action}|Alert ID=${Alert.dn}|devTime Format=devTimeFormat=yyyy-MM-dd HH:mm:ss.S|devTime=${Alert.createTime} |Alert type=${Alert.alertType}|src=$ {Alert.sourceIp}|usrName=${Event. struct.user.user}|Application name= ${Alert.applicationName}|dst=${Event. destInfo.serverIp}|Alert Description= ${Alert.description}|Severity=${Alert. severity}|Immediate Action=${Alert. immediateAction}|SecureSphere Version=$ {SecureSphereVersion}

    1. Select the Run on Every Event check box.

  3. Configure an audit policy for the events that you want to send to JSA:
    1. In the Main workspace, click Policies >Audit.

    2. Click Create DB Service.

    3. Type a name for the policy.

    4. Select Use Existing, and then select a policy from the list.

    5. Click the Match Criteria tab, and then enter the criteria for the policy.

    6. Click the Apply To tab, and then select the server group.

    7. Click the External Logger tab.

    8. From the Syslog list, select the JSA that you configured.

    9. If you select a pre-defined policy from the Syslog list, configure the Apply to and External Logger fields.

    10. Click Save.

You must define an audit policy or configure a pre-defined policy for each type of audit event that you want to send to JSA.