In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to integrate ADAudit Plus with security information and event management (SIEM) solutions. This integration allows real-time event forwarding, enhanced security monitoring, and streamlined compliance reporting.

Prerequisites  

• Have a SIEM solution (e.g., Splunk, ArcSight, or LogRhythm) or a Syslog server.

• Ensure network connectivity between ADAudit Plus and the SIEM solution.

• Ensure Syslog or SIEM servers are reachable from ADAudit Plus.

• Verify the correct protocol (e.g.,, UDP, TCP, or HTTP) and ports are open.

Steps to follow

Step 1: Enabling SIEM integration in ADAudit Plus  

1. Log in to the ADAudit Plus web console.

2. Navigate to Admin > Configuration > SIEM Integration.

3. Click Enable SIEM Integration.

4. Select the SIEM solution type from the drop-down menu (Syslog, Splunk, ArcSight, or LogRhythm).

5. Click Save & Proceed.

Step 2: Configuring Syslog forwarding  

1. Choose Syslog as the integration type.

2. Enter the Syslog server hostname or IP address.

3. Specify the port number (default: UDP 514) and protocol (UDP or TCP).

4. Select the Syslog format (RFC 3164 or RFC 5424).

5. Choose the log categories to forward.

6. Click Save Configuration.

Step 3: Configuring Splunk HTTP Event Collector forwarding  

1. In Splunk, go to Settings > Data Inputs > HTTP Event Collector.

2. Click New Token, provide a descriptive name (e.g., ADAuditPlus), and save the configuration.

3. Copy the generated authentication token.

4. Under Global Settings, enable All Tokens.

5. In ADAudit Plus, select Splunk as the integration type.

6. Enter the Splunk server hostname or IP address.

7. Specify the port number (default: 8088) and protocol (HTTP or HTTPS).

8. Paste the HTTP Event Collector token generated in Splunk.

9. Choose the log categories to forward.

10. Click Save Configuration.

Step 4: Configuring ArcSight forwarding  

1. Select ArcSight as the integration type.

2. Enter the ArcSight server hostname or IP address.

3. Specify the collector port number.

4. Choose the Common Event Format (CEF) for data transfer.

5. Select the log categories to forward.

6. Click Save Configuration.

Step 5: Configuring LogRhythm Syslog forwarding  

The system does not offer a dedicated option specifically for configuring LogRhythm syslog forwarding. However, if the LogRhythm server is capable of receiving data in standard syslog format, it can be configured under the Syslogs / SIEM section. 

1. Choose Syslog / SIEM as the integration type.

2. Enter the LogRhythm Syslog receiver address.

3. Specify the port number and protocol (UDP or TCP).

4. Select the log categories to forward.

5. Click Save Configuration.

Key mappings for SIEM integration  

ADAudit Plus forwards various syslog key data that SIEM solutions use to categorize and analyze events. Below are key mappings for different integrations:

Syslog key mappings  

ArcSight CEF key mappings  

Validation and confirmation  

• Verify events from ADAudit Plus appear in the SIEM solution.

• Check that log forwarding is occurring in real time.

• Review error logs for any misconfigurations.

Tips

• Use TCP instead of UDP for reliable event delivery.

• Enable filtering to forward only necessary audit categories.

• Regularly test log forwarding to prevent data loss.

• Maintain documentation of SIEM integration settings for compliance.

Related Topics and Articles  

• How to configure ticketing system integration in ADAudit Plus