IBM Security Guardium

Dear Seniors,

We have to configure Guardium with Splunk SIEM in order to send Real Time Logs , Initially, we wants to send a Failed , SQL Errors Logs caused by the users columns should Includes DB UserName, Server IP, Client IP, DB User Name, Database Error Text, Exception Type Description, Database Name, Source Program, OS User, Service Name  to the Splunk SIEM.

We have following configured in Global Profile Template, However, it is not sending above mentioned columns from Guardium to Splunk SIEM. Could anyone please guide me how I can achieve this. Thanks much for your kind support and your guidance will be appreciated much!




This is what we are receiving as of now on Spunk SIEM.


------------------------------
Sincerely,
Sky Christi
------------------------------

Hi @Akash Parmar,

Assuming your policy rule is configured to use the default template, the best way to determine what Guardium is sending is to look at the messages log on the Collector. If the parameters you want are in the messages log, which they should given the parameters you want are included in the default template, then it is likely that Splunk isn't parsing it properly and you need to work with your Splunk team to parse the log.

To note, there are other named templates out of the box that your Splunk team may prefer you use instead. It's been my experience that Splunk prefers the ArcSight one which uses CEF format.




------------------------------
Wendy
Converge Technology Solutions
Formerly Information Insights
------------------------------

Original Message:
Sent: Wed January 11, 2023 07:42 AM
From: Akash Parmar
Subject: Guardium Splunk SIEM Integration

Dear Seniors,

We have to configure Guardium with Splunk SIEM in order to send Real Time Logs , Initially, we wants to send a Failed , SQL Errors Logs caused by the users columns should Includes DB UserName, Server IP, Client IP, DB User Name, Database Error Text, Exception Type Description, Database Name, Source Program, OS User, Service Name  to the Splunk SIEM.

We have following configured in Global Profile Template, However, it is not sending above mentioned columns from Guardium to Splunk SIEM. Could anyone please guide me how I can achieve this. Thanks much for your kind support and your guidance will be appreciated much!




This is what we are receiving as of now on Spunk SIEM.


------------------------------
Sincerely,
Sky Christi
------------------------------

Hi Akash,

I would consider creating a custom logging template.  There are a lot of fields that are not included in the default template as well as the other example templates that come with Guardium.  Check out this doc where you can choose the variables that apply to the type of database you are monitoring with your security policy.   There are variables that only apply to certain types of databases, distributed vs mainframe type monitoring.

https://www.ibm.com/docs/en/guardium/11.5?topic=profile-alert-message-template

In addition I'd get with your splunk team to get the logs you are sending parsed and indexed consistently.  They will appreciate a template that provides key / value pairs.   As an example something like this would be helpful.  You  can substitute other delimiters as well.

rule_description="%%ruleDescription", client_ip="%%clientIP", server_ip="%%serverIP", db_user="%%DBUser", source_program="%%SourceProgram" ,database_name="%%DBName", sql_verb="%%Verb", object="%%Object", object_type="%%objectType"

Good luck!



------------------------------
Patrick OBrien
------------------------------

Original Message:
Sent: Wed January 11, 2023 07:42 AM
From: Akash Parmar
Subject: Guardium Splunk SIEM Integration

Dear Seniors,

We have to configure Guardium with Splunk SIEM in order to send Real Time Logs , Initially, we wants to send a Failed , SQL Errors Logs caused by the users columns should Includes DB UserName, Server IP, Client IP, DB User Name, Database Error Text, Exception Type Description, Database Name, Source Program, OS User, Service Name  to the Splunk SIEM.

We have following configured in Global Profile Template, However, it is not sending above mentioned columns from Guardium to Splunk SIEM. Could anyone please guide me how I can achieve this. Thanks much for your kind support and your guidance will be appreciated much!




This is what we are receiving as of now on Spunk SIEM.


------------------------------
Sincerely,
Sky Christi
------------------------------

Hello Patrick, Hope all is well.

Thank you for your support. Appreciate it. I will try your suggestions.

------------------------------
Akash Parmar
------------------------------

Original Message:
Sent: Wed January 18, 2023 11:57 AM
From: Patrick OBrien
Subject: Guardium Splunk SIEM Integration

Hi Akash,

I would consider creating a custom logging template.  There are a lot of fields that are not included in the default template as well as the other example templates that come with Guardium.  Check out this doc where you can choose the variables that apply to the type of database you are monitoring with your security policy.   There are variables that only apply to certain types of databases, distributed vs mainframe type monitoring.

https://www.ibm.com/docs/en/guardium/11.5?topic=profile-alert-message-template

In addition I'd get with your splunk team to get the logs you are sending parsed and indexed consistently.  They will appreciate a template that provides key / value pairs.   As an example something like this would be helpful.  You  can substitute other delimiters as well.

rule_description="%%ruleDescription", client_ip="%%clientIP", server_ip="%%serverIP", db_user="%%DBUser", source_program="%%SourceProgram" ,database_name="%%DBName", sql_verb="%%Verb", object="%%Object", object_type="%%objectType"

Good luck!



------------------------------
Patrick OBrien

Original Message:
Sent: Wed January 11, 2023 07:42 AM
From: Akash Parmar
Subject: Guardium Splunk SIEM Integration

Dear Seniors,

We have to configure Guardium with Splunk SIEM in order to send Real Time Logs , Initially, we wants to send a Failed , SQL Errors Logs caused by the users columns should Includes DB UserName, Server IP, Client IP, DB User Name, Database Error Text, Exception Type Description, Database Name, Source Program, OS User, Service Name  to the Splunk SIEM.

We have following configured in Global Profile Template, However, it is not sending above mentioned columns from Guardium to Splunk SIEM. Could anyone please guide me how I can achieve this. Thanks much for your kind support and your guidance will be appreciated much!




This is what we are receiving as of now on Spunk SIEM.


------------------------------
Sincerely,
Sky Christi
------------------------------