Skip to content

Log Forwarding - Security Events and Traffic Logs

Overview

Security Information Event Management (SIEM) systems are solutions that specialize in combining security information and security event information together into a single management platform. The security and event information will originate from 3rd party security solutions that are configured to forward this information to the SIEM.

Valtix supports viewing security event information directly within the UI. These events are available under the Investigate -> Flow Analytics section. The events are categorized and viewable as follows:

Category Type Description
Flow Logs FLOW_LOG Information related to the different stages of a traffic flow
Firewall Events APPID Traffic matched based on Application ID (OpenAppID)
GEOIP Traffic sourced from or destined to a Geo IP (MaxMind)
L4_FW Traffic matched based on layer4 information (Source/Dest IP/Port and Protocol)
MALICIOUS_IP Traffic sourced from or destined to a malicious IP (Trustwave)
SNI Traffic matched based on SNI information
Network Threats AV Traffic where a virus has been detected (ClamAV)
DPI Traffic where an IDS/IPS threat has been detected (TALOS)
DLP Traffic where sensitive data is being exfiltration
Web Protection WAF Traffic where a web application threat has been detected (ModSecurity)
L7DOS Traffic that is contributing to a layer7 DOS attack
URL Filtering URLFILTER Traffic that matches a URL category or URL (BrightCloud)
FQDN Filtering FQDNFILTER Traffic that matches a FQDN category or FQDN (BrightCloud)
HTTPS Logs HTTP_REQUEST Information related to web-based traffic (HTTP)
TLS_ERROR Information related to TLS errors
TLS_LOG Information related to TLS behavior
Traffic Summary Logs SESSION_SUMMARY Summary information on each processed traffic session

Tech Notes

Flow Logs are deprecated in 2.10 and later Gateway releases. The information contained within each Flow Log is made available as part of the session information available in Traffic Summary -> Logs.

Each of the event categories can be sent to a SIEM using a Log Forwarding Profile. The SIEMs currently supported by Valtix are:

A Log Forwarding Profile can be operated on using the steps outlined below:

Create a Profile

  1. Navigate to Manage -> Profiles -> Log Forwarding
  2. Click Create
  3. Fill in the appropriate parameters (refer to the SIEM-specific documentation)
  4. Click Save
  5. Add the desired Gateway Associations (refer to Add a Gateway Association)

Edit a Profile

  1. Navigate to Manage -> Profiles -> Log Forwarding
  2. Check the box next to the Profile you want to Edit
  3. Click Edit
  4. Modify the parameters as desired (refer to the SIEM-specific documentation)
  5. Click Save

Delete a Profile

  1. Navigate to Manage -> Profiles -> Log Forwarding
  2. View the Profile Details to view the Associated Gateways
  3. Remove all Gateway Associations (refer to Remove a Gateway Association)
  4. Navigate to Manage -> Profiles -> Log Forwarding
  5. Check the box next to the Profile you want to Delete
  6. Click Delete
  7. Confirm the Delete operation by clicking Yes or No

View a Profile Details

  1. Navigate to Manage -> Profiles -> Log Forwarding
  2. Select the Profile link you want to view the Details
  3. View the Details information

Add a Gateway Association

  1. Navigate to Manage -> Gateways -> Gateways
  2. Check the box next the Gateway you want to associate the Profile
  3. Click Edit
  4. For the Log Profile parameter, select the desired Profile from the menu
  5. Click Save

Remove a Gateway Association

  1. Navigate to Manage -> Gateways -> Gateways
  2. Check the box next the Gateway you want to de-associate the Profile
  3. Click Edit
  4. For the Log Profile parameter, click the 'X' next to the Profile to remove it
  5. Click Save

Tech Notes

A Log Forwarding Profile can also be associated with a Gateway at time of Gateway creation. The Log Profile parameter is available during the Gateway creation process, where the desired Profile can be selected from the menu.