Adding connectors and plug-ins

The Guardium universal connector is the Guardium entry point for native audit logs. The Guardium universal connector identifies and parses the received events, and converts them to a standard Guardium format. The output of the Guardium universal connector is forwarded to the Guardium sniffer on the collector, for policy and auditing enforcements. Configure Guardium to read the native audit logs by customizing a pre-defined template for data sources that have pre-defined plug-ins (Amazon S3, MongoDB, and MySQL), or with your own plug-in.

Before you begin

You must have permission for the role S-Tap Management. Admin user has this role by default.

About this task

Pre-defined plug-ins: Guardium has a few pre-defined plug-ins for specific data sources: Amazon S3, MongoDB, and MySQL. In this scenario, you do not need to upload a plug-in. Instead, you can use the corresponding template to help you to configure the input and the filter. The templates include all required fields. The input and filter sections conform to the sections in an Elastic Logstash configuration file, described here.

The default MongoDB connector is the preferred method of ingesting data. It does not require any additional configuration on Guardium if you use the default configuration. By default, the Guardium universal connector listens for MongoDB audit log events that are sent over Syslog (TCP port 5000, UDP port 5141) and Filebeat (port 5044). If you cannot use these ports, or if a parameter does not display in the reports as you expect, update the MongoDB connector configuration to match your system.

Important: Each connector requires unique ports. Do not use the default ports for a customized connector configuration. Also, each connector must have a unique type, and the filter configuration must use that type.

For example, if the input configuration includes:

udp { port => 5141 type => "syslogMongoDB" }

then the filter must match it:

if [type] == "syslogMongoDB" {
Tip: When you save a connector configuration, Guardium stops the universal connector, verifies the new connection syntax, and initiates the new connection. Then, it restarts the universal connector. To prevent unnecessary loss of data during this stop period (usually about 1 minute), verify new configurations on a test Guardium system before you add them to your live system.

Procedure

  1. On the collector, click Setup > Tools and Views > Configure Universal Connector.
  2. Click the add icon.
  3. For pre-defined plug-ins:
    1. Enter name in the Connector name field.
    2. From the Connector template drop-down list, select the template that most closely matches your system and follow the instructions in the sections that describe each template.
    3. Click Save. Guardium validates the new connector, and enables the universal connector if it was disabled. After it is validated, it appears in the Configure Universal Connector page.
  4. For offline plug-in package and related files, see further instructions in upload a plug-in.