Configuring a universal connector by using the legacy workflow
Use the legacy Configure Universal Connector page on a Managed Unit to configure universal connectors. The Guardium universal connector is the Guardium entry point for native audit logs. The Guardium universal connector identifies and parses the received events, and converts them to a standard Guardium format. The output of the Guardium universal connector is forwarded to the Guardium sniffer on the collector, for policy and auditing enforcements. Configure Guardium to read the native audit logs by customizing a pre-defined template for data sources that have pre-defined plug-ins (Amazon S3, MongoDB, and MySQL), or with your own plug-in.
Before you begin
- You must have permission for the role S-Tap Management. Admin user has this role by default.
- Configuring policies for Universal Connector.
- Download the plug-in zip file from Supported data source matrix page. (Do not unzip the offline-package file throughout the procedure).
About this task
Pre-defined plug-ins: Guardium has a few pre-defined plug-ins for specific data sources: Amazon S3, MongoDB, and MySQL. In this scenario, you do not need to upload a plug-in. Instead, you can use the corresponding template to help you to configure the input and the filter. The templates include all required fields. The input and filter sections conform to the sections in an Elastic Logstash configuration file, described here.
The default MongoDB connector is the preferred method of ingesting data. It does not require any additional configuration on Guardium if you use the default configuration. By default, the Guardium universal connector listens for MongoDB audit log events that are sent over Syslog (TCP port 5000, UDP port 5141) and Filebeat (port 5044). If you cannot use these ports, or if a parameter does not display in the reports as you expect, update the MongoDB connector configuration to match your system.
Each connector requires unique ports. Do not use the default ports for a customized connector configuration. Also, each connector must have a unique type, and the filter configuration must use that type.
For example, if the input configuration includes:
udp { port => 5141 type => "syslogMongoDB" }
then the filter must match it:
if [type] == "syslogMongoDB" {
Procedure
- To add a new configuration, click the add
icon. - In the Connector name field, enter a name for the new connector.Restriction: Ensure that the name does not contain special characters other than underscore( _ ) and hyphen ( - ).
- From the Connector template list, select a template, if applicable. If not leave it is as.
- Update the Input configuration and Filter
Configuration fields as per the .conf file from the filter plug-in GitHub repository for the plug-in that you want to configure.
For example, see the auroraMysqlCloudwatch.conf file if you are configuring the
Aurora-MySQL-Guardium Logstash filter plug-in. Omitting the keyword "filter{" at the beginning and
its corresponding "}" at the end.Note:
- You can see the .conf file in each filter plug-in folder in the GitHub repository.
- If you want to configure Cloudwatch by using the role_arn parameter instead of access_key and secret_key , then see Configuring role_arn parameter topic.
If you are configuring more than one filebeat connector on a single Managed Unit, then ensure to update the tags parameter in the filter plugin configuration file with unique values for each configuration. Not using unique values may affect the system performance. - In the Connector name field, enter a name for the new connector.