LogRhythm

Fortra VM integrates with LogRhythm SIEM to provide additional vulnerability assessment data allowing for more informed detection and response action to neutralize cyberthreats. Contextual Fortra VM asset and vulnerability data enriches the entire LogRhythm XDR stack, including AnalytiX, DetectX and RespondX.

Requirements

From LogRhythm Installation:

  • Enabled Syslog Server
  • MPE Rule and MPE Policy Options
  • LogRhythm Third Party Application API Token

From Fortra VM:

From the System Monitors tab choose Deployment Manager.

Double click the agent that will receive the custom DDI Common Event Format (CEF) syslogs, or open up the agent’s properties window by right clicking the agent and selecting Properties.

Select the Syslog and Flow Settings tab.

Select the Enable Syslog Server check box on the top left.

Add the Syslog Relay host (IP Address of host / agent sending the custom DDI CEF syslogs).

Click OK.

Log Source Types are used to classify logs and improve processing performance with rules for that type. Each Log Message Source is assigned a Log Source Type. Create a new Log Source Type for LogRhythm to ingest and classify DDI custom CEF syslogs.

Access the Log Source Type Manager and create a custom DDI Log Source Type.

  1. On the main toolbar, click Deployment Manager.
  2. On the Tools menu, click Knowledge, then select Log Source Type Manager.
  3. Add a Log Source Type by clicking the green plus icon on the top left.

  1. Complete the Name and Abbreviation fields.
  2. Select “Syslog” as the value for Log Format.
  3. Click OK and close the Log Source Type Manager.

Create New MPE Rule

  1. On the Tools menu, select Knowledge, and then choose MPE Rule Builder.
  2. Select the New icon, and then choose Yes to create a new rule.
  1. Within the “General” section, enter a Rule Name.
  2. Select the Common Event icon button to associate this new rule with a Common Event.

In the Common Event Manager, we suggest searching for “General Information” within the Text Filter and selecting “Operations: Information: General Information”.

  1. Select OK.
  2. Select the Rule Status you want, and write a brief description (optional).

Log Message Source Type Associations

Select the log message source type to associate with this MPE rule.

  1. Expand Custom Log Source Types.
  2. Select the custom DDI Log Source Type you've previously created.

Base-Rule Regular Expression

  1. Copy the regular expression provided by the Fortra Integration Team.
  2. Paste this regular expression in the Base-rule Regular Expression Window.
  3. Click the save icon on the upper left main toolbar to save the newly created MPE Rule.

Test this MPE rule with sample logs to ensure the log ingestion, parsing, and mapping are correct. Use the Test Center tab to test the provided regular expression on log samples.

Within the Test Center window:

  1. Right click and select “Import Log Messages Manually”.
  1. Within the Test Log Importer window, paste a sample log provided by the Fortra Integration team and select OK.
  2. Select “Test All” after importing the log messages manually
  3. From the Rule Builder Test Results window, ensure the Total Logs Matching Rule percentage is 100% (all logs matched correctly). Also ensure that the LogRhythm fields from the sample log are all mapped correctly.

A policy is a collection of MPE Rules designed for a specific Log Source Type. When enabling MPE Processing we need to select a policy and create a MPE policy that will allow our DDI Log Sources to be processed by the MPE.

Create MPE Policy

NOTE: You must be logged in as Administrator to take this action.

On the main toolbar, navigate to Deployment Manager and then select the Log Processing Policies tab.

  1. Click the New (plus) icon on the toolbar.
  2. Select Custom from the “Record Type Filter” window.
  3. Select the custom DDI Log Source Type created earlier, and select OK.
  1. Within the MPE Policy Editor window, Name the new policy.
  2. Select Apply.

A log source is a unique source of log data that is collected from a Host. A log source is needed to associate the custom DDI logs for LogRhythm to determine the origin of the log message.

Log Source Configuration

Configure the log source with the custom Log Source Type, MPE Rule, and MPE Policy.

Navigate within LogRhythm under the Deployment Manager > Log Sources tool bar, and select the log source specific for DDI Log Messages.

  1. Right click on the log source and select Properties to open the Log Message Source Properties window.
  2. Under Actions select Change Log Source Type to bring up the Log Source Type Selector window.
  3. Ensure the Collection Agent is the same agent sending the custom DDI logs.
  4. Select the custom DDI Log Source Type you created earlier as the Log Message Source Type.
  5. For Log Message Processing Engine (MPE) Policy, select the custom DDI MPE Policy you created.
  6. Select OK to save.
NOTE: Note: Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
  1. Log into the Client Console as a Global Administrator.
  2. On the main toolbar, select Deployment Manager.
  3. Choose the Third Party Applications tab.
  4. Right-click the blank area of the grid, and then click New. The Third Party Application Properties dialog box appears.
  5. Type an Application Name (e.g. Fortra VM Integration) and Description. The Application Name must be unique.
  6. Select OK. The application is saved.
  7. Right-click the newly created application, and then choose Properties.
  8. Change the number of days for which you want the token to be valid (Optional) .
  9. Select Generate Token. The Credentials dialog box appears.
  10. Enter the password for the user, and then select OK. A Client ID, Client Secret, and token are generated for the application.
  11. Copy and save this token. You will need it later.
NOTE: You will not be able to get back to this screen to copy the token. It appears only one time and, for security purposes, is not stored. If you do not copy and save the token, you will have to regenerate it later.

The Integration Application must be installed on a Windows or Linux host. Download the appropriate version of the Integration Application below.

Download Windows App

Download Linux App

This Integration Application routinely pulls host and vulnerability data from Fortra VM as configured in the Fortra VM Connector console and transforms the data into CEF log format to be consumed by the LogRhythm data collector.

Configuration

After unzipping the integration application on the selected host, navigate to its folder.

  1. Locate the config.ini file in the top level of the directory.
  2. Open the file with any text editor and change the following values:
    • logrhythm_url – Replace the text here with the URL for your LogRhythm instance. This is used in the integration to make API calls.
    • logrhythm_agent_ip – Replace the text here with the IP address of the System Monitor you wish to use. If there is a System Monitor on the host you are installing this application on, use the host IP address.
    • fvm_token – Replace the text here with the FVM API token you created earlier.
    • lr_token – Replace the text here with your LogRhythm third party application API token.
  1. Save the file.
  2. Run the Integration Application file on the host using frontline_logrhythm_integration.exe

The Fortra VM Connector Console is where configuration of criteria for desired data to be pulled into the integration occurs. Access the appropriate Connector Console by selecting the Fortra VM instance for your account.

US Connector Console

UK Connector Console

TryFrontline Connector

Login with your Fortra VM account email and the API token created earlier.

The Connector Console dashboard will display the current status of the integration, when the integration will next pull data along with host and asset criteria to be pulled. These settings can be modified using the Edit button.

Following the successful run of the integration, data pulled from Fortra VM can be viewed in the LogRhythm platform and utilized in queries and workflows.

LogRhythm Help Documentation

LogRhythm – Log Source Types

LogRhythm – MPE Rules