Configuring Event Streamer syslog via GUI
FireEye Endpoint Security (HX) is an endpoint security solution that combines antivirus (EPP), next-generation antivirus (NGAV), and EDR. For redundant protection of endpoints, the solution is equipped with a total of four engines: a conventional antivirus engine, a machine learning (AI) engine, a behavior detection engine, and an infringement activity data (IOC) engine.
This section describes the various configuration settings provided in the Event Streamer policy.
- Once logging into console navigate to event streamer an enable the policy as shown below.
- To enable Event Streamer for the current policy, toggle the setting Enable Event Streamer on the host to ON and save the policy changes.
- To enable event streaming to your Helix instance, toggle the setting Stream to FireEye Helix to ON.
- To configure a Syslog server for Event Streamer communication, navigate to server settings under Destinations.
- To add a server, click the Add Syslog Destination as shown in the below snapshot.
- This page contains Name, which allows you to record a name for the server, IP Address, which should be the IPv4 address of the chronicle forwarder, and Port, which should be the port number (Which is Port no - 11689) used by Event Streamer to connect to the server.
Event Log Streaming
- Event Log Streaming settings allow an admin to configure which Windows event logs will be monitored.
- When any of these settings is ON, Event Streamer will be configured to record events from the selected event log and stream them.
- These settings apply to both Helix and Syslog event streaming.
Configuring Event Streamer syslog via CLI
FireEye HX Configuration Complete the following steps to configure FireEye HX to send data to Remote Ingester Note (RIN) using syslog:
- Log in to the FireEye HX appliance by using the CLI.
- Type the following commands to enable configuration mode:
- configure terminal
3. Enter the following commands to add a remote syslog server destination:
logging <forwarder_ip_address> port <Chronicle_port_number> (Where Port no - 11689)
4. Enter the following command to save the configuration details in the FireEye HX appliance
5. Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression, or with a specific hostname, will provide the log source types which are ingesting to chronicle, below is the screenshot for reference.