How to integrate ADAudit Plus with SIEM solutions?

How to integrate ADAudit Plus with SIEM solutions?

Objective  

This article explains how to integrate ADAudit Plus with security information and event management (SIEM) solutions. This integration allows real-time event forwarding, enhanced security monitoring, and streamlined compliance reporting.

Prerequisites  

  • Have a SIEM solution (e.g., Splunk, ArcSight, or LogRhythm) or a Syslog server.

  • Ensure network connectivity between ADAudit Plus and the SIEM solution.

  • Ensure Syslog or SIEM servers are reachable from ADAudit Plus.

  • Verify the correct protocol (e.g.,, UDP, TCP, or HTTP) and ports are open.

Steps to follow

Step 1: Enabling SIEM integration in ADAudit Plus  

  1. Log in to the ADAudit Plus web console.
  2. Navigate to Admin > Configuration > SIEM Integration.

  3. Click Enable SIEM Integration.

  4. Select the SIEM solution type from the drop-down menu (Syslog, Splunk, ArcSight, or LogRhythm).

  5. Click Save & Proceed.

Step 2: Configuring Syslog forwarding  

  1. Choose Syslog as the integration type.
  2. Enter the Syslog server hostname or IP address.

  3. Specify the port number (default: UDP 514) and protocol (UDP or TCP).

  4. Select the Syslog format (RFC 3164 or RFC 5424).

  5. Choose the log categories to forward.

  6. Click Save Configuration.

Step 3: Configuring Splunk HTTP Event Collector forwarding  

  1. In Splunk, go to Settings > Data Inputs > HTTP Event Collector.
  2. Click New Token, provide a descriptive name (e.g., ADAuditPlus), and save the configuration.

  3. Copy the generated authentication token.

  4. Under Global Settings, enable All Tokens.

  5. In ADAudit Plus, select Splunk as the integration type.

  6. Enter the Splunk server hostname or IP address.

  7. Specify the port number (default: 8088) and protocol (HTTP or HTTPS).

  8. Paste the HTTP Event Collector token generated in Splunk.

  9. Choose the log categories to forward.

  10. Click Save Configuration.

Step 4: Configuring ArcSight forwarding  

  1. Select ArcSight as the integration type.
  2. Enter the ArcSight server hostname or IP address.

  3. Specify the collector port number.

  4. Choose the Common Event Format (CEF) for data transfer.

  5. Select the log categories to forward.

  6. Click Save Configuration.

Step 5: Configuring LogRhythm Syslog forwarding  

The system does not offer a dedicated option specifically for configuring LogRhythm syslog forwarding. However, if the LogRhythm server is capable of receiving data in standard syslog format, it can be configured under the Syslogs / SIEM section. 
  1. Choose Syslog / SIEM as the integration type.

  2. Enter the LogRhythm Syslog receiver address.

  3. Specify the port number and protocol (UDP or TCP).

  4. Select the log categories to forward.

  5. Click Save Configuration.

Key mappings for SIEM integration  

ADAudit Plus forwards various syslog key data that SIEM solutions use to categorize and analyze events. Below are key mappings for different integrations:

Syslog key mappings  

Syslog key

ADAudit Plus field

EVENT_NUMBER

Event Number

RECORD_NUMBER

Record Number

UNIQUE_ID

Unique ID

REPORT_PROFILE

Report Profile Name

ALERT_PROFILE

Alert Profile Name

SEVERITY

Severity

TIME_GENERATED

Event Time

USERNAME

User Name

ACCOUNT_DOMAIN

Account Domain

CLIENT_IP_ADDRESS

User Machine IP

ArcSight CEF key mappings  

CEF key

ADAudit Plus column

cat

ADAudit Plus Category

cn1

Event Number

cn2

Record Number

cn3

Unique ID

cs1

Report Profile Name

cs4

Alert Profile Name

cs3

Event Source

cs5

Severity

rt

Event Time

type

Event Type

reason

Event Remarks

msg

Message String

fileName

File Name

fileLocation

File Location

suser

User Name

sntdom

Domain Name

shost

User Machine Name

 

Validation and confirmation  

  • Verify events from ADAudit Plus appear in the SIEM solution.
  • Check that log forwarding is occurring in real time.

  • Review error logs for any misconfigurations.

Tips

  • Use TCP instead of UDP for reliable event delivery.

  • Enable filtering to forward only necessary audit categories.

  • Regularly test log forwarding to prevent data loss.

  • Maintain documentation of SIEM integration settings for compliance.


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • How to exclude ADAudit Plus from antivirus and endpoint protection

                      In this article: Objective Prerequisites Steps to follow Validation and confirmation Tips Related topics and articles Objective This article explains how to exclude ADAudit Plus from antivirus and endpoint protection software to ensure smooth ...

                    • Understanding how ADAudit Plus handles security Event Logs and Archiving

                      In this article : Question Explanation Important considerations Related topics and articles Question I would like to know if there’s a way to store historical security event logs within ADAudit Plus, access older logs, and view the raw event data. ...

                    • Can I import previously generated security logs into ADAudit Plus?

                      Objective Learn how to import EVT/EVTX logs into ADAudit Plus for analysis and auditing by configuring scheduled or one-time imports using the built-in import functionality. Prerequisites Ensure sufficient disk space is available for log storage. The ...

                    • Unable to upgrade ADAudit Plus

                      Issue description ManageEngine ADAudit Plus may occasionally encounter issues during the upgrade process, resulting in error messages or unexpected interruptions. These problems can hinder users from accessing new features and critical security ...

                    • How to upgrade ADAudit Plus

                      Objective This article provides a step-by-step guide for upgrading ADAudit Plus using a service pack (PPM) file. Prerequisites You must have downloaded the required service pack (PPM) file for the upgrade. You need administrator access to the server ...

                      Related Products