SIEM Collector Dialog

Description
SIEM Collector Dialog The SIEM Collector dialog is used to create a log collector service that analyzes logs for events.
Name field Specifies the name for the Collector, which can be anything.
Type field Lists and specifies the types of logs that will be collected.
Source field Specifies the log collection source, which can be an Instance, Sky Node, or Nexus.
Collector field Specifies the collector service that will be used to collect the logs, which can be File for collecting data from log files, Docker for collecting data from Docker logs, or System for collecting data from operating system logs.
Log Name field Specifies the full path and name of the log file.
Parser field Specifies the name of a predefined parser or the regex expression that will be used to parse the log file.
Filter section The filter section specifies the inclusion of specific patterns or the exclusion of white noise patterns in the logs being collected.
Add button Adds the inclusion or exclusion filter rule for the collector service to define which log patterns should be included or excluded during log collection.
Remove button Removes the inclusion or exclusion rule from the collector service, allowing adjustments to the log collection filters.
Create button Saves the Collector configuration and provisions it.
Cancel button Abort and close the dialog.

SIEM Collector Actions Menu

Description
SIEM Collector Actions Menu On the right-hand side of the SIEM Collector list view, you will find the "Actions" menu that displays shortcut icons and the dropdown menu icon. Below, we have listed the actions for the SIEM Collector module.
Copy ID item Stores the Collector ID in the clipboard.
Edit Collector item Opens the SIEM Collector dialog in edit mode, allowing modifications.
Open Observer item Opens the Observer dialog, which is used to perform searches and define rules for detecting and responding to events.
Purge Collector item Opens a confirmation dialog, and if confirmed, purges all logs from the collector.
Delete Collector item Opens a confirmation dialog that, if confirmed, deletes the Collector service.

Observer Dialog

Description
SIEM Collector Actions Menu The Observer dialog is used to perform searches and define patterns for detecting events within the collected logs.
Observer Rules panel Lists the saved rules in the Observer for detecting specific events based on predefined patterns and conditions.
Observer Query section Searches and retrieves the records matching the specified search pattern, displaying a maximum of 1000 rows.
Time Scope field Specifies the time range for the search, allowing it to cover up to 30 days of historical data.
Query field Defines the search pattern using the Human Query Language (HQL), which operates as follows:
  • A word without double quotes indicates a partial match (e.g., err will display all lines that contain 'err' as part of a word).
  • A word enclosed in double quotes indicates a whole word match (e.g., "err" will display all lines that contain 'err' as a complete word).
  • The operators AND and OR can be used to refine the search (e.g., error AND "404" OR "505" will display all lines that contain the word 'error' and either the number '404' or '505' as a whole word).
Search button Initiates the search process based on the defined search pattern. You can also press the Enter key in the Query field to start the search.
Raise Event field Specifies the Event Hub where the rule will send an event notification containing the log JSON data.
Nexus Action field The Nexus Action field is visible only when the collector is defined as Nexus Log. It contains special actions designed to protect and notify regarding events occurring on the Nexus server. The following actions can be triggered:
  • Block
    If the "ip_blocker" script is defined in the "settings.json" of the Nexus Server, the rule will execute the script and pass the IP address. This mechanism is utilized to immediately block malicious activity. Typically, it applies a DENY rule to the firewall, particularly when the Nexus server is publicly accessible, ensuring enhanced security by preventing further attacks from the identified malicious IP address.
  • Notify
    This action requires the setup of the "smtp*" and the "ip_blocker_emailto" keys in the "settings.json" of the Nexus Server and is used to send out notification emails regarding the occurring event.
  • Block-Notify
    This action will execute both Block and Notify actions as described above, ensuring that any identified malicious activity is promptly addressed by blocking the offending IP address and sending out notification emails about the event.
Add Rule button Adds the specified rule to the Observer process, allowing the system to monitor for the defined patterns.
Run Query button Executes the saved rule query from the Query field without triggering any events.
Delete Rule button Removes the rule from the Observer process.


The siemcollector Policy


The following is a list of policy grants that define and regulate access permissions for both users and the API. To manage these policies, please use the Roles dialog.

Grants

Description

API Command
full Grants full access ALL
add-rule Permits the addition of a rule to the Observer process. add-rule
delete Permits the deletion of the item. delete
delete-rule Permits the removal of a rule from the Observer process. delete-rule
edit Permits access to the "Edit" dialog.  
list Permits listing in the List View area or as JSON objects. list
new Permits access to the new "Provisioning" dialog.  
observer Permits access to the "Observer" dialog.  
purge Permits purging of all log entries. purge
save Permits execution of the provisioning process. create, update
search Permits querying of log entries. search