Best Practice: Shipping events to SIEM systems
Regular monitoring of the Bravura Security Fabric is crucial to maintaining a highly available service. Administrators and security teams should be aware of potential configuration or security issues, and a SIEM solution provides the ability to see events in real-time, review historical events, and even identify trends and other analytics over a period of time. Therefore it is best practice to integrate the Bravura Security Fabric with existing SIEM solutions to better facilitate this kind of proactive maintenance.
Challenge: syslog versus SIEM integration
The built-in syslog support within the Bravura Security Fabric is a legacy integration point that is no longer actively developed or improved. As SIEM solutions have matured over the years, the necessity of direct syslog integration has become less and less relevant, and so demand for extending the syslog feature has also been low.
As such, Bravura Security no longer recommends using syslog transmission of event data.
Syslog is a lossy protocol
Syslog is not a reliable delivery method and events can be dropped when network issues occur between the application server(s) and the SIEM system. Messages cannot be queued and retransmitted in the event the connectivity is not available. Furthermore, to minimize performance effects on overall log transmission, UDP tends to be used for transmissions and this is a naturally lossy protocol.
Syslog over TLS is not supported
While transmitting syslog messages over TLS is possible (see https://datatracker.ietf.org/doc/html/rfc5425 ), this is not supported by the Bravura Security Fabric logging service, nor will support be added in the future.
Best practice solution
For on-premise deployments, Bravura Security recommends that log collection agents for SIEM systems be installed on Bravura Security Fabric application servers and proxy servers to securely and efficiently transmit this information over HTTPS. Log collection agents generally operate by tracking the location in the files and the Windows event logs that were last processed, and then transmitting content in bulk to servers when connectivity exists.
Log collection agents can then be configured to transmit the information that is located in:
The Bravura Security Fabric application log file directories:
<Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance>\
The Windows Event Log audit event storage location:
Applications and Services Logs > Bravura Security Fabric.Errors are logged into the Admin folder, and information and warnings are logged into the Operational folder.
The highest value and best quality messages to be processed include:
The audit events in the Windows Event Log location. These cover a range of high value actions that are of interest to security event systems.
Performance messages in the Bravura Security Fabric application log files. These are well structured messages that are identified at level "Perf" in the logs.