Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring Illumio Adaptive Security Platform to Communicate with JSA

To forward events to JSA, you must configure Exporting Events to Syslog and Syslog Forwarding for your Illumio PCE.

Configuring Exporting Events to Syslog for Illumio PCE

All audit and traffic summaries are sent to syslog in JSON format by default. The default configuration must be updated so that the events are exported in LEEF format.

  1. Stop the PCE software so that changes to the PCE runtime_env.yml file can be made.

  2. Enable LEEF formatting by configuring the PCE runtime_env.yml parameter syslog_event_export_format.

    syslog_event_export_format:leef

  3. Export traffic summaries to Syslog by configuring the PCE runtime_env.yml parameter export_flow_summaries_to_syslog:

    export_flow_summaries_to_syslog: accepted potentially_blocked blocked

    Note:

    By default, the PCE exports all audit events to Syslog. Therefore, no configuration is required to enable exporting audit events.

    The export_flow_summaries_to_syslog parameter should be considered experimental and the mechanism for configuring this feature might change in a future release.

    Note:

    The export_flow_summaries_to_syslog parameter should be considered experimental and the mechanism for configuring this feature might change in a future release.

  4. Type the ./illumio-pce-env check command to validate the syntax of the configuration file.

  5. Start the PCE software.

Configuring Syslog Forwarding for Illumio PCE

Because the PCE software exports logs to a local syslog, you must configure either rsyslog or syslog-ng service on each node in your PCE cluster to forward these logs to JSA.

  1. If you want to configure rsyslog, complete the following steps.

    1. Edit the /etc/rsyslog.conf file by adding the following entries or uncomment if they are already present. Replace < Event Collector IP> with the IP address of the JSA event collector:

      ### LEEF (flow data, audit events) ### if $syslogseverity <= 6 \ and $syslogtag startswith 'illumio_pce/collector[' \ and $msg contains 'LEEF:' \ and $msg contains '|Illumio|PCE|' \ and $msg contains 'cat=flow_summary' \ then @@< Event Collector IP>:514 if $syslogseverity <= 6 \ and $syslogtag startswith 'illumio_pce/' \ and $msg contains 'LEEF:' \ and $msg contains '|Illumio|PCE|' \ and $msg contains 'audit_events' \ then @@< Event Collector IP>:514

    2. Restart the rsyslog service.

      service rsyslog restart

  2. If you want to configure syslog-ng, complete the following steps.

    1. Edit the /etc/syslog-ng/syslog-ng.conf file by adding the following entries or uncomment if they are already present. Replace < Event Collector IP> with the IP address of the JSA event collector:

      #destination d_net { tcp("< Event Collector IP>" port(514) flush_lines(1)); }; #log { source(s_src); filter(flow_events); destination(d_net); };#log { source(s_src); filter(audit_events); destination(d_net); }; ### LEEF (flow data, audit events) ### filter flow_events { level(info..emerg) and program("^illumio_pce/collector$") and message('LEEF:[^\|]+\|Illumio\|PCE\|') and message('cat=flow_summary'); }; filter audit_events { level(info..emerg) and program("^illumio_pce/") and message('LEEF:[^\|]+\|Illumio\|PCE\|') and message('cat=[^ #]*audit_events'); };

    2. Restart the syslog-ng service.

      service syslog-ng restart