With v8.5.4 and v8.5.5, perform these steps in the Audit Log Data section for the primary Policy Server in your deployment to pass audit log data to a third-party SIEM product.
(See Viewing and exporting the audit log in
Administrator Help for more information about the audit log.)
Steps
-
Check Enable SIEM integration for audit log data for this Policy Server to enable the feature.
Note that this feature is available only for the primary Policy Server and does not appear if you switch to a secondary Policy Server.
-
Provide the IP address or hostname of the machine hosting the SIEM product, as well as the communication Port to use for sending the audit log data.
-
Specify the Transport protocol (UDP or TCP) to use when sending audit log data to the SIEM product.
-
Select the SIEM format to use. This determines the syntax of the string used to pass audit log data to the integration.
- If you select Custom, enter or paste the string that you want to use in the text box that displays. Click View SIEM format strings for samples to use
as a reference.
- If you select a non-custom format, a sample Format string displays.
-
Click OK to cache your changes. Changes are not implemented until you click Save and Deploy.
Next steps
When you save your changes, records written to the audit log are forwarded to the SIEM solution.