Best Practice: Shipping events to SIEM systems
Regular monitoring of the Bravura Security Fabric is crucial to maintaining a highly available service. Administrators and security teams should be aware of potential configuration or security issues. A SIEM solution provides the ability to view events in real-time, review historical events, and even identify trends and other analytics over a period of time. Therefore, it is best practice to integrate the Bravura Security Fabric with existing SIEM solutions to better facilitate this kind of proactive maintenance.
Challenge: syslog versus SIEM integration
The built-in syslog support within the Bravura Security Fabric framework is a legacy integration point that is no longer actively developed or improved. As SIEM solutions have matured over the years, the necessity of direct syslog integration has become less and less relevant, and so demand for extending the syslog feature has also been low.
As such, Bravura Security no longer recommends using syslog transmission of event data.
Syslog is a lossy protocol
Syslog is not a reliable delivery method, and events can be dropped when network issues occur between the application server(s) and the SIEM system. Messages cannot be queued and retransmitted if connectivity is not available. Furthermore, to minimize performance effects on overall log transmission, UDP is often used for transmissions, and this is a naturally lossy protocol.
Syslog over TLS is not supported
While transmitting syslog messages over TLS is possible (see https://datatracker.ietf.org/doc/html/rfc5425), this is not supported by the Bravura Security Fabric logging service, and support will not be added in the future.
Best practice solution
For on-premise deployments, Bravura Security recommends that log collection agents for SIEM systems be installed on Bravura Security Fabric application servers and proxy servers to securely and efficiently transmit this information over HTTPS. Log collection agents generally operate by tracking the location in the files and the Windows event logs that were last processed, and then transmitting content in bulk to servers when connectivity exists.
Log collection agents can then be configured to transmit the information that is located in:
The Bravura Security Fabric application log file directories:
<Program Files path>\Bravura Security\Bravura Security Fabric\Logs\<instance>\
The Windows Event Log audit event storage location:
Applications and Services Logs > Bravura Security Fabric, or in 12.7 or older,Applications and Services Logs > Hitachi > Hitachi ID Systems > Hitachi ID Suite.Errors are logged into the Admin folder, and information and warnings are logged into the Operational folder.
The highest value and best quality messages to be processed include:
The audit events in the Windows Event Log location. These cover a range of high value actions that are of interest to security event systems.
Performance messages in the Bravura Security Fabric application log files. These are well structured messages that are identified at level "Perf" in the logs.
Windows audit event reference
Event ID | Symbolic ID | Description |
|---|---|---|
1 | AUTH_CHAIN_FAILURE | User failed to authenticate |
2 | AUTH_CHAIN_SUCCESS | User successfully authenticated |
3 | USER_LOGIN_LOCKOUT | User lockout is triggered |
4 | DB_COMMIT_SUSPEND | Database commits suspended, replication queue full |
5 | DB_COMMIT_RESUME | Database commits resuming |
6 | DB_REPLICATION_CONN_FAILURE | Connectivity to replica database lost |
7 | DB_REPLICATION_CONN_RESTORED | Connectivity to replica database restored |
8 | DB_REPLICATION_TRANS_FAILURE | Failed to replicate database transaction |
9 | DB_QUEUE_INSERT_FAILURE | Failed to insert data into database replication queue |
10 | DB_FAILED_PROC_RECORDED | Failed to run stored procedure on replica server |
11 | PAMSA_ORCHESTRATION_START_FAILURE | Subscriber orchestration failed to start |
12 | PAMSA_ORCHESTRATION_END_FAILURE | Subscriber orchestration completed with failures |
13 | UPDATE_RESOURCE_FAILURE | Failed to update subscriber password |
14 | GSET_CHECKIN_FAILURE | Failed to check-in managed group set |
15 | GSET_CHECKIN_PARTIAL | Failed to fully check-in managed group set, some memberships were not revoked |
16 | GSET_CHECKIN_SUCCESS | Managed group set successfully checked in |
17 | GSET_CHECKOUT_SUCCESS | Managed group set successfully checked out |
18 | GSET_CHECKOUT_FAILURE | Failed to check out managed group set |
19 | GSET_CHECKOUT_PARTIAL | Managed group set partially checked out, some memberships were not granted |
20 | PWD_CHECKOUT_SUCCESS | Managed account password successfully checked out |
21 | PWD_CHECKOUT_FAILURE | Failed to check-out managed account password |
22 | PWD_CHECKIN_SUCCESS | Managed account password successfully checked in |
23 | PWD_CHECKIN_FAILURE | Failed to check-in managed account password |
24 | WSTN_VIEW_PASSWORD_SUCCESS | Managed account password viewed |
25 | WSTN_VIEW_PASSWORD_FAILURE | Failed to view managed account password |
26 | WSTN_VIEW_PASSWORD_HIS_SUCCESS | Historical managed account password viewed |
27 | WSTN_VIEW_PASSWORD_HIS_FAILURE | Failed to view historical managed account password |
28 | ADMIN_ENABLE_ADMIN | Administrative profile enabled |
29 | ADMIN_ENABLE_USER | User profile enabled |
30 | ADMIN_DISABLE_ADMIN | Administrative profile disabled |
31 | ADMIN_DISABLE_USER | User profile disabled |
32 | ADMIN_UNLOCK_ADMIN | Administrative profile unlocked |
33 | ADMIN_UNLOCK_USER | User profile unlocked |
34 | SMON_SESSION_START | Privileged access session recording started |
35 | SMON_SESSION_END | Privileged access session recording ended |
36 | SMON_ADMIN_SESS_TERM_REQ | Privileged access session termination requested by administrator |
37 | PSUPDATE_START | Nightly discovery process started |
38 | PSUPDATE_FINISH | Nightly discovery process finished |
39 | IDAPI_LOGIN_SUCCESS | API login succeeded |
40 | IDAPI_LOGIN_FAILURE | API login failure |
41 | MAQ_CHECKIN_FAILURE | Failed to check in system and account query based access |
42 | MAQ_CHECKIN_SUCCESS | Succeeded in checking in system and account query based access |
43 | MAQ_CHECKOUT_FAILURE | Failed to check out system and account query based access |
44 | MAQ_CHECKOUT_SUCCESS | Succeeded in checking out system and account query based access |
45 | TARGET_DEPLOYMENT_FAILURE | Target deployment finished with a failure. |
46 | TARGET_DEPLOYMENT_SUCCESS | Successfully finished target deployment. |
47 | OPERATION_IMPORT_TARGET | Successfully imported a single target. |
48 | WSTN_ADD_WSTN_SUCCESS | Successfully finished target deployment. |
49 | WSTN_ADD_WSTN_FAILURE | Target deployment finished with a failure. |
50 | IDWFM_EVENT_ABORT | Workflow manager aborted event processing. |
51 | IDWFM_EVENT_FAILURE | Workflow manager failed to process event. |
52 | USER_QA_ADD_SUCCESS | Security question successfully added. |
53 | USER_QA_ADD_FAILURE | Failed to add security question. |
54 | USER_QA_UPDATE_SUCCESS | Security question successfully updated. |
55 | USER_QA_UPDATE_FAILURE | Failed to update security question. |
56 | USER_QA_DELETE_SUCCESS | Security question successfully deleted. |
57 | ADMIN_QA_ADD_SUCCESS | Security question successfully added. |
58 | ADMIN_QA_ADD_FAILURE | Failed to add security question. |
59 | ADMIN_QA_UPDATE_SUCCESS | Security question successfully updated. |
60 | ADMIN_QA_UPDATE_FAILURE | Failed to update security question. |
61 | ADMIN_QA_DELETE_SUCCESS | Security question successfully deleted. |
62 | USER_PW_RESET_START | Self-service password reset started. |
63 | USER_PW_RESET_SUCCESS | Self-service password reset successful. |
64 | USER_PW_RESET_FAILURE | Self-service password reset failed. |
65 | ADMIN_PW_RESET_START | Help-desk assisted password reset started. |
66 | ADMIN_PW_RESET_SUCCESS | Help-desk assisted password reset successful. |
67 | ADMIN_PW_RESET_FAILURE | Help-desk assisted password reset failed. |
68 | USER_ACCT_UNLOCK_START | Self-service account unlock started. |
69 | USER_ACCT_UNLOCK_SUCCESS | Self-service account unlock successful. |
70 | USER_ACCT_UNLOCK_FAILURE | Self-service account unlock failed. |
71 | ADMIN_ACCT_UNLOCK_START | Help-desk assisted account unlock started. |
72 | ADMIN_ACCT_UNLOCK_SUCCESS | Help-desk assisted account unlock successful. |
73 | ADMIN_ACCT_UNLOCK_FAILURE | Help-desk assisted password reset failed. |
74 | DB_REPLICATION_WATERMARK_WARN | Database replication watermark hit. |
75 | USER_ALIAS_ALREADY_CLAIMED | User attempted to claim alias that is already claimed. |
76 | ADMIN_ALIAS_ALREADY_CLAIMED | Admin attempted to assign alias that is already claimed. |
77 | CONNECTOR_TIMEOUT | Connector timed out while performing operation. |
78 | FILE_REPLICATION_FAILURE | Error occured during file replication to remote nodes. |
79 | IDPM_GROUP_SUCCESS | All passwords successfully synchronized. |
80 | IDPM_GROUP_FAILURE | One or more passwords failed to be synchronized. |
81 | WF_REQUEST_BATCH_APPROVED | Workflow request has been approved. |
82 | WF_REQUEST_BATCH_REJECTED | Workflow request has been rejected. |
83 | WF_REQUEST_BATCH_CANCELED | Workflow request has been canceled. |
84 | WF_REQUEST_BATCH_REVOKED | Workflow request has been revoked. |
85 | WF_REQUEST_BATCH_PROCESSED | Workflow request has been processed. |
86 | DID_REGISTER_SUCCESS | Successfully registered Digital ID. |
87 | DID_REGISTER_FAILURE | Failed to register Digital ID. |
88 | DID_UPDATE_SUCCESS | Successfully updated Digital ID. |
89 | DID_SEND_SUCCESS | Digital ID successfully downloaded. |
90 | USER_IDENTIFY_SUCCESS | User successfully identified |
91 | USER_IDENTIFY_FAILURE | Failed to identify user. |
92 | USER_LOGIN_SUCCESS | User successfully logged in. |
93 | USER_LOGIN_FAILURE | User failed to log in. |
94 | FEDIDP_IDENTIFY_SUCCESS | Federated authn request successfully parsed. |
95 | FEDIDP_IDENTIFY_FAILURE | Federated authn request failed to be parsed. |
96 | FEDIDP_AUTH_SUCCESS | Federated assertion successfully generated. |
97 | FEDIDP_AUTH_FAILURE | Federated assertion failed to be generated. |
98 | DB_STORED_PROC_FAILURE | Failed to execute stored procedure. |
99 | ADMIN_CRED_FAILURE | Target creation failure: Could not establish credentials. |
100 | ADMIN_CRED_SUCCESS | Target creation successful: Credentials set successfully. |
101 | FEDIDP_SSO_SESSION_CREATE | New federated SSO session created. |
102 | FEDIDP_SSO_SESSION_DESTROY | Federated SSO session terminated. |
103 | PAM_CHECKOUT_SUCCESS | Generic access check-out successful. |
104 | PAM_CHECKOUT_PARTIAL | Generic access check-out partially successful. |
105 | PAM_CHECKOUT_FAILURE | Generic access check-out failed. |
106 | PAM_CHECKIN_SUCCESS | Generic access check-in successful. |
107 | PAM_CHECKIN_PARTIAL | Generic access check-in partially successful. |
108 | PAM_CHECKIN_FAILURE | Generic access check-in failed. |
109 | PAM_CHECKOUT_EXPIRY | Generic access check-out expired. |
110 | PAM_CHECKOUT_LIMIT_REACHED | Generic access check-out cannot be performed because it would exceed the check-out limit of one of its targets. |
111 | PAM_CHECKOUT_OPERATION_SUCCESS | An operation run as part of a generic access check-out succeeded. |
112 | PAM_CHECKOUT_OPERATION_FAILURE | An operation run as part of a generic access check-out failed. |
113 | PAM_CHECKIN_OPERATION_SUCCESS | An operation run as part of a generic access check-in succeeded. |
114 | PAM_CHECKIN_OPERATION_FAILURE | An operation run as part of a generic access check-in failed. |
115 | FEDSP_SAMLAUTH_ASR_FAILURE | Failed to validate a SAML assertion. |
116 | FEDSP_SAMLAUTH_ASR_SUCCESS | Successfully validated a SAML assertion. |
117 | FEDSP_SAMLAUTH_ISSUED | Issued SAML AuthNRequest. |
118 | DB_REPLICATION_QUEUE_DELAY_PAST_THRESHOLD | Database replication queue delay exceeded configured threshold. |
119 | CRITICAL_FAILURE | A critical failure was detected. |
120 | USER_HDD_RECOVERY_FAILURE | Self-service encrypted drive recovery failure. |
121 | USER_MOBILE_DEVICE_REGISTRATION | Self-service mobile device registration. |