Table of Contents:
This topic describes the steps to configure syslog on the MangeEngine ADAudit Plus.
Prerequisites
- Administrator login credentials.
Configuring ManageEngine AD logs
- Login to your ManageEngine ADAudit Plus Administration Interface.
- Navigate to Admin > Configuration > SIEM Integration
- Check the box next to Enable to forward the ADAudit Plus logs.
4. Select the ArcSight format and configure the following fields:
- IP Address: Forwarder IP Address
- Port: 11603
- Target Type: TCP or UDP
ArcSight CEF Key Mappings
| CEF Key | ADAuditPlus Column |
| cat | ADAuditPlus Category |
| cn1 | Event Number |
| cn2 | Record Number |
| cn3 | Unique ID |
| cs1 | ADAuditPlus Report Profile Name |
| cs4 | ADAuditPlus Alert Profile Name |
| cs3 | Event Source |
| cs5 | Severity |
| rt | Event Time |
| type | Event Type |
| reason | Event Remarks |
| outcome | Event Outcome |
| msg | ADAuditPlus Message String |
| fileName | File Name |
| fileLocation | File Location |
| suser | User Name / Caller User Name |
| suid | User SID / Caller User Name |
| sntdom | Domain Name / Caller Domain Name |
| shost | User Machine / Caller Machine Name |
| cs2 | User Machine IP Address |
| duser | Target User Name |
Once the configuration is completed, you need to validate the logs in the chronicle using a regular expression such as (".*") . This expression, or a specific hostname, will provide the log source types that are being ingested to chronicle. Below is a screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.