Security Information and Event Management (SIEM) products provide real-time analysis of security alerts generated by security solutions such as Imperva Cloud Web Application Firewall (WAF). Many organizations implement a SIEM solution to bring visibility of all security events from various solutions and to have the ability to search them or create their own dashboard.
Note that a simpler alternative to SIEM is Imperva Attack Analytics, which reduces the burden of integrating a SIEM logs solution and provides a condensed view of all security events into comprehensive narratives of events rated by severity. A demo of Imperva Attack Analytics is available here.
This article will take you step-by-step through the process of deploying a Graylog server that can ingest Imperva SIEM logs and let you review your data. They are:
The steps apply to the following scenario:
Most of the steps below also apply to any setup or cloud platforms besides AWS. Note that in AWS, a Graylog AMI image does exist, but only with Ubuntu 14 at the time of writing. Also, I will publish future blogs on how to parse your Imperva SIEM logs and how to create a dashboard to read the logs.
Step 1: Deploy an Ubuntu Server on AWS
As a first step, let’s deploy an Ubuntu machine in AWS with the 4GB RAM required to deploy Graylog.
It is recommended to use Ubuntu 16.04 and above, as some repo are already pre-included such as MongoDB and Java openjdk-8-jre, which simplifies the installation process. The command lines below apply for Ubuntu 16.04 (systemctl command, for instance, is not applicable for Ubuntu 14).
4GB is the minimum for Graylog, but you might consider more RAM depending on the volume of the data that you plan to gather.
Since we will be collecting logs, we will need more storage than the default space. The storage volume will depend a lot on the site traffic and the type of logs you will retrieve (all traffic logs or only security events logs).
Note that you will likely require much more than 40GB. If you are deploying on AWS, you can easily increase the capacity of your EC2 server anytime.
If you do not have an existing SSH key pair in your AWS account, you can create it using the ssh-keygen tool, which is part of the standard openSSH installation or using puttygen on Windows. Here’s a guide to creating and uploading your SSH key pairs.
Let’s make sure that port 9000 in particular is open. You might need to open other ports if logs are forwarded from another log collector, such as port 514 or 5044.
It is best practice that you open port 22 only from Cloud WAF IP (this link) or from your IP. Prevent from opening port 22 to the world.
You can also consider locking the UI access to your public IP only.
sudo apt-get update
sudo apt-get upgrade
Select “y” when prompted or the default options offered.
Step 2: Install Java, MongoDB and Elasticsearch
sudo apt-get install apt-transport-https openjdk-8-jre-headless uuid-runtime pwgen
Check that Java is properly installed by running:
And check the version installed. If all is working properly, you should see a response like:
Graylog uses MongoDB to store the Graylog configuration data
MongoDB is included in the repos of Ubuntu 16.04 and works with Graylog 2.3 and above.
sudo apt-get install mongodb-server
Start mongoDB and make sure it starts with the server:
sudo systemctl start mongod
sudo systemctl enable mongod
And we can check that it is properly running by:
sudo systemctl status mongod
Graylog 2.5.x can be used with Elasticsearch 5.x. You can find more instructions in the Elasticsearch installation guide:
wget -qO – https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add –
echo “deb https://artifacts.elastic.co/packages/5.x/apt stable main” | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
sudo apt-get update && sudo apt-get install elasticsearch
Now modify the Elasticsearch configuration file located at /etc/elasticsearch/elasticsearch.yml and set the cluster name to graylog.
sudo nano /etc/elasticsearch/elasticsearch.yml
Additionally you need to uncomment (remove the # as first character) the line:
Now, you can start Elasticsearch with the following commands:
sudo systemctl daemon-reload
sudo systemctl enable elasticsearch.service
sudo systemctl restart elasticsearch.service
By running sudo systemctl status elasticsearch.service you should see Elasticsearch up and running as below:
Step 3: Install Graylog
wget https://packages.graylog2.org/repo/packages/graylog-2.5-repository_latest.deb sudo dpkg -i graylog-2.5-repository_latest.deb
sudo apt-get update && sudo apt-get install graylog-server
First, create a password of at least 64 characters by running the following command:
pwgen -N 1 -s 96
And copy the result referenced below as password
Let’s create its sha256 checksum as required in the Graylog configuration file:
echo -n password | sha256sum
Now you can open the Graylog configuration file:
sudo nano /etc/graylog/server/server.conf
And replace password_secret and root_password_sha2 with the values you created above.
The configuration file should look as below (replace with your own generated password):
Now replace the following entries with your AWS CNAME that was given when creating your EC2 instance. Note that also, depending on your setup, you can replace the alias below with your internal IP.
Although not mandatory, it is recommended that you configure https to your Graylog server.
Please find the steps to setup https in the following link: http://docs.graylog.org/en/2.3/pages/configuration/web_interface.html#configuring-webif-nginx
Run the following commands to restart Graylog and enforce it on the server startup:
sudo systemctl daemon-reload
sudo systemctl enable graylog-server.service
sudo systemctl start graylog-server.service
Now we can check that Graylog has properly started:
sudo systemctl status graylog-server.service
You should now be able to login to the console.
If the page is not loading at all, check if you have properly configured the security group of your instance and that port 9000 is open.
You can login with username ‘admin’ and the password you set as your secret password.
Step 4: Configure SFTP on your server and Imperva Cloud WAF SFTP push
Let’s create a directory where the logs will be sent to Incapsula to send logs.
incapsula is the user name created in this example. You can replace it to the name of your choice. You will be prompted to choose a password.
Let’s create a new group:
sudo groupadd incapsulagroup
And associate the incapsula user to this group
sudo usermod -a -G incapsulagroup incapsula
In this example, we will send all log to /home/incapsula/logs
sudo mkdir incapsula
sudo mkdir logs
For security purposes, we want to restrict access of this user strictly to the folder where the logs will be sent. The home and incapsula folders can be owned by root while logs will be owned by our newly created user.
sudo chmod 755 /home/incapsula
sudo chown root:root /home/incapsula
Now let’s assign our new user (incapsula in our example) as the owner of the logs directory:
sudo chown -R incapsula:incapsulagroup /home/incapsula/logs
The folder is now owned by incapsula and belongs to incapsulagroup.
And you can see that the incapsula folder is restricted to root, so the newly created incapsula user can only access the /home/incapsula/logs folder, to send its logs.
sudo nano /etc/ssh/sshd_config
Comment out this section:
#Subsystem sftp /usr/lib/openssh/sftp-server
And add this line right below:
subsystem sftp internal-sftp
Change the authentication to allow password authentication so Incapsula can send logs using username / password authentication:
And add the following lines at the bottom of the document:
match group incapsulagroup
Save the file and exit.
Let’s now restart the SSH server:
sudo service sshd restart
For that, let’s open use Filezilla and try to upload a file. If everything worked properly, you should be able to:
Step 5: Push the logs from Imperva Incapsula to the Graylog SFTP folder
See below an example of the settings. Click Test Connection and ensure it is successful. Click Save.
You can select either security logs or all access logs on a site-per-site basis.
Selecting All Logs will retrieve all access logs, while Security Logs will push only logs where security events were raised.
You can find more details on the various settings of the SIEM logs integration in Imperva documentation in this link.
The first logs might take some time to reach your server, depending on the volume of traffic on the site, in particular for a site with little traffic. Generate some traffic and events.
To improve the security and performance of your SIEM integration project, you can consider enforcing https in Graylog. You can find a guide to configure https on Graylog here.