Table of Contents:
This topic describes the steps to configure syslog on the MangeEngine ADAudit Plus.
Prerequisites
- Administrator login credentials.
Configuring ManageEngine AD logs
- Login to your ManageEngine ADAudit Plus Administration Interface.
- Navigate to Admin > Configuration > SIEM Integration
- Check the box next to Enable to forward the ADAudit Plus logs.
4. Select the ArcSight format and configure the following fields:
- IP Address: Forwarder IP Address
- Port: 11603
- Target Type: TCP or UDP
ArcSight CEF Key Mappings
CEF Key | ADAuditPlus Column |
cat | ADAuditPlus Category |
cn1 | Event Number |
cn2 | Record Number |
cn3 | Unique ID |
cs1 | ADAuditPlus Report Profile Name |
cs4 | ADAuditPlus Alert Profile Name |
cs3 | Event Source |
cs5 | Severity |
rt | Event Time |
type | Event Type |
reason | Event Remarks |
outcome | Event Outcome |
msg | ADAuditPlus Message String |
fileName | File Name |
fileLocation | File Location |
suser | User Name / Caller User Name |
suid | User SID / Caller User Name |
sntdom | Domain Name / Caller Domain Name |
shost | User Machine / Caller Machine Name |
cs2 | User Machine IP Address |
duser | Target User Name |
Once the configuration is completed, you need to validate the logs in the chronicle using a regular expression such as (".*") . This expression, or a specific hostname, will provide the log source types that are being ingested to chronicle. Below is a screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.