You are here: Docs>Sheriff Web>UserGuides>SheriffCSMDocumentation>DeploymentGuide>PluginManagement>ConfigureLogForwardingOnCommonlyUsedDataSources>SecureAuth (24 Jun 2022, SheriffCyberSecurity)Edit Attach
Up
Previous Next

Sheriff CSMâ„¢

SecureAuth

When you configure SecureAuth to send log data to Sheriff CSM, you can use the SecureAuth plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

DeviceDetails
Vendor SecureAuth
Device Type Network Access Control
Connection Type Syslog
Data Source Name secureauth
Data Source ID 1834

Integrating SecureAuth

Before you configure the SecureAuth integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).

The SecureAuth plugin in Sheriff CSM can process syslog messages sent directly to the Sheriff CSM Sensor or through NXLog. If you plan to use Syslog directly, follow the instructions in "Configure SecureAuth to Send Syslog;" if you plan to use NXLog instead, follow the instructions in "Configure NXLog on Windows," both included below.

Configure SecureAuth to Send Syslog

To configure SecureAuth to send Syslog messages to Sheriff CSM
  1. From the SecureAuth web interface, select the Logs tab.

  2. In the Log Type field, select Syslog.

  3. In the Syslog Server and Syslog Port fields, enter the Sheriff CSM IP address and 514, respectively.

  4. Select the Extended OTP Logging check box.

  5. Save and apply the changes.

Configure NXLog on Windows

To send log data through NXLog to Sheriff CSM

  1. If not done already, download nxlog.conf, and then place it in the conf directory of your NXLog installation. Depending on which version you use, the directory can be C:\Program Files (x86)\nxlog\conf for the 32-bit version or C:\Program Files\nxlog\conf for the 64-bit version.

    Note: This step overwrites the default nxlog.conf file. You may want to back up the original copy before placing the one provided by AT&T Cybersecurity.

  2. Open the nxlog.conf file in a text editor.

  3. Update the root path of your NXLog installation.

    1. Locate the following lines:

      #define ROOT C:\Program Files\nxlog
#define ROOT C:\Program Files (x86)\nxlog
    2. Uncomment the path that matches the NXLog installation on your Windows machine.

  4. Enter the Sheriff CSM Sensor IP address.

    1. Locate the following line:

      define OUTPUT_DESTINATION_ADDRESS <Sheriff-CSM-Sensor-IP>
    2. Replace <Sheriff-CSM-Sensor-IP> with the IP address of the Sheriff CSM All-in-One or Sheriff CSM Sensor that will receive the Windows events.

  5. Uncomment the section between SECUREAUTH-NXLOG and /SECUREAUTH-NXLOG.

    Important: Only remove the first # symbol in each line when uncommenting the sections. The remaining # symbol indicates that the line is either a comment or optional.

  6. Verify the file path defined in the section. Update the path to match your SecureAuth installation.

  7. Save the file.

  8. Start or restart the NXLog service.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://docs.secureauth.com/display/docs/secureauth+logging+and+audit

https://docs.secureauth.com/display/docs
Edit  | Attach | Print version | History: r9 < r8 < r7 < r6 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r9 - 24 Jun 2022, SheriffCyberSecurity
Copyright 2020 Sheriff Cyber Security, LLC. All rights reserved.