Reference Guide

ManualsBrandsDell ManualsConverged InfrastructureData Guardian

131

132

133

134

135

136

137

138

139

140

Navigate the Dell Server

116

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 5540 is reserved for raw input

(SSL)

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 5540 will negotiate new-s2s

protocol

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2

splunk

07-10-2017 16:27:02.653 -0500 INFO TcpInputConfig - IPv4 port 9997 will negotiate new-s2s

protocol

07-10-2017 16:27:02.653 -0500 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 5540

with SSL

07-10-2017 16:27:02.653 -0500 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 5541

with Non-SSL

07-10-2017 16:27:02.654 -0500 INFO TcpInputProc - Creating fwd data Acceptor for IPv4 port

9997 with Non-SSL

3. Configure the Dell Server to communicate with the Splunk server and export audit events.

Use the keytool command to add the Splunk server's root certificate (cacert.pem) to the Dell

Server operating system Java keystore. The certificate is added to the operating system Java

keystore and not to the Dell Server application Java keystore.

keytool -keystore <keystore_location> -alias <alias-name> -importcert -file

<certificate_file>

Add the Splunk server's root certificate (cacert.pem) to the Java keystore, which in Windows is

usually located at: C:\Program Files\Dell\Java Runtime\jre1.8\lib\security\cacerts

4. Modify the Dell Server database to change the SSL value from false to true:

In the database, navigate to the information table, SIEM-specific support configuration.

Change the "SSL":"false" value to "SSL":"true" – for example:

{"eventsExport":{"exportToLocalFile":{"enabled":"false","fileLocation":"./logs/siem/audit-

export.log"},"exportToSyslog":{"enabled":"true","protocol":"TCP","SSL":"true","host":"yourDellSe

rver.yourdomain.com","port":"5540"}}}

Advanced Threat Prevention Syslog Event Types

Following are event types that are supported with the Syslog/SIEM Advanced Threats option

Application Control

This option is visible when the Application Control feature is enabled. Application Control events represent

actions occurring when the device is in Application Control mode. Selecting this option sends a message to the

Syslog server whenever an attempt is made to modify or copy an executable file, or when an attempt is made

to execute a file from an external device or network location.

Example Message for Deny PE File Change: