Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring a System Event Action for Imperva SecureSphere

 

Configure your Imperva SecureSphere appliance to forward syslog system policy events to JSA.

Use the following list to define a message string in the Message field for each event type you want to forward:

Note

The line breaks in the code examples might cause this configuration to fail. For each alert, copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom Format column.

  • System events (v9.5 and v10 to v13)--

  • Database audit records (v9.5 and v10 to v13) —

  • All alerts (v6.2 and v7.x to v13 Release Enterprise Edition)--

Note

The devTimeFormat parameter does not include a value because you can configure the time format on the SecureSphere appliance. Review the time format of your SecureSphere appliance and specify the appropriate time format.

  1. Log in to SecureSphere by using administrative privileges.
  2. Click the Policies tab.
  3. Click the Action Sets tab.
  4. Generate events for each alert that the SecureSphere device generates:
    1. Click New to create a new action set for an alert.

    2. Type a name for the new action set.

    3. Move the action to the Selected Actions list.

    4. Expand the System Log action group.

    5. In the Action Name field, type a name for your alert action.

    6. From the Apply to event type list, select Any event type.

    7. Configure the following parameters:

      • In the Syslog host field, type the IP address of the JSA appliance to which you want to send events.

      • In the Syslog log level list, select INFO.

      • In the Message field, define a message string for your event type.

    8. In the Facility field, type syslog.

    9. Select the Run on Every Event check box.

    10. Click Save.

  5. To trigger syslog events, associate each of your system event policies to an alert action:
    1. From the navigation menu, click Policies > System Events.

    2. Select or create the system event policy that you want to use for the alert action.

    3. Click the Followed Action tab.

    4. From the Followed Action list, select your new action and configure the parameters.

      Tip

      Configure established connections as either blocked, inbound, or outbound. Always allow applicable service ports.

    5. Click Save.