Connecting to data source by using Universal Connector
Configure the connection to the data sources by using Universal Connector.
- Read the Additional information and click Configure.
- Enter a name and description for the connection that you want to create and click Next.
- In the Build pipeline, select the Input plugin and Filter plugin, then click Next.
- In the Additional info fields, enter the applicable information from JDBC, Filebeat, or CloudWatch input plug-in configuration sections.
JDBC input plug-in configuration
Parameters | Description |
---|---|
Connection string | Enter the JDBC connection string. For
example:
Note: Do not enter the database username and password in the connection string.
|
Statement | The statement setting determines which audit tables the SELECT query calls for the audit
logs. In the Guardium UI, the Statement* is divided into three parts to
enhance clarity and ease of use: SELECT for choosing columns, FROM
for specifying tables, and WHERE for adding filter conditions. |
JDBC user | Enter the username that you want to connect to the database with access to the audit tables to be queried. |
Password | Enter the password for the JDBC user. |
Paramaters | Description |
---|---|
Account ID | AWS account ID. For more information, see Using an alias for your AWS account ID. |
Enrollment ID | Used for an AzureSQL connection. For more information, see Finding Enrollment ID topic. |
Server name | Enter the hostname of the database server. |
Filebeat input plug-in configuration
- In the Additional info page, enter the Data source
tag and click Configure.
This tag uniquely identifies the incoming Filebeat stream. It is later added to the Filebeat configuration so that the Filebeat can tag every event with this tag. For example, specify
any-mongodb
in this field. - In the Configuration notes page, click Download certificate to download the UC certificate authority to your local system. Copy the certificate to the data source (it is later added to the Filebeat configuration). All data sources of any one specific type use the same certificate.
- Click Done.
- To configure the data source to communicate with Guardium® Data Security Center, follow the instructions from the Configuring Filebeat to forward audit logs to
Guardium section.
Copy the hostname in the Configuration Notes to configure the host in the filebeat.yml file on your data source.
- Persistent queue is disabled by default in the Universal Connector and must be enabled manually. Persistent queue can be enabled only for Filebeat and it can cause the universal connector to work more slowly. To enable the queue, click Universal connector: enable persistent queue. and then click
Configuring a Filebeat connection
Prerequisite
- Select the data source as MongoDB.
- Select On-premises as the data source environment type.
- Select Filebeat as the input plug-in.
- In the Additional info page, enter the Data source
tag and click Configure.
This tag uniquely identifies the incoming Filebeat stream. It is later added to the Filebeat configuration so that the Filebeat can tag every event with this tag. For example, specify
any-mongodb
in this field. - Click Upload certificates authorities and select the
filebeatCA.crt
authority that is created in the Filebeat input plug-in configuration section.You can specify multiple authorities from your local system. An event can only be processed by the universal connection if one of the designated authorities signs its certificate..
- Click Configure.
- In the Configuration notes page, click Download certificate to download the UC certificate authority to your local system. Copy the certificate to the data source (it is later added to the Filebeat configuration). All data sources of any one specific type use the same certificate.
- Click Done.
- To configure the data source to communicate with Guardium Data Security Center, follow the instructions from the Configuring Filebeat to forward audit logs to
Guardium section.
Copy the hostname in the Configuration Notes to configure the host in the filebeat.yml file on your data source.
- Persistent queue is disabled by default in the Universal Connector and must be enabled manually. Persistent queue can be enabled only for Filebeat and it can cause the universal connector to work more slowly. To enable the queue, click Universal connector: enable persistent queue. and then click
CloudWatch input plug-in configuration
Parameters | Description |
---|---|
AWS Role ARN | Generate temporary credentials, typically for cross-account access For more information, see the AssumeRole API documentation. |
AWS access key ID and AWS secret access key | AWS user account access key and the secret access key. For more information, see Configure tool authentication with AWS. |
AWS account region | Region of the AWS account. For example, "us-east-1" |
Event filter | Specify the filters to search for resources. For example, for filtering an S3 events based on
bucket name:
. |
Account ID | AWS account ID. For more information, see Configure tool authentication with AWS topic. |
CloudWatch Log Group name |
Specify the log group that is created for your data instance. For example, /aws/rds/instance/any_instance/any_log_group |
Azure Event Hubs input plug-in configuration
Parameters | Description |
---|---|
Event hub connections | Specify the list of connection strings that identifies the Event Hubs to be read. Connection
strings include the EntityPath for the Event Hub. |
Enrollment ID | Azure enrollment ID. A unique subscription identifier for billing and resource management. |
Configuring Filebeat to forward audit logs to Guardium
prerequisites: Complete the steps from Configuring Filebeat to forward audit logs to Guardium section.
- Open the filebeat.yml file. Search the file at path:
/etc/filebeat/filebeat.yml
. - Locate the
tags
section and enter the data source tag. For example,tags: ["any-mongodb"]
. - Locate the
output.logstash
section and add an entry for IBM IBM Guardium Data Security Center. For example,# The Logstash hosts hosts: ["<hostname-URL>:443"]
Note: In IBM Guardium Data Security Center, whenever you use the plug-ins that are based on Filebeat as a data shipper, the configured port must be 443. Guardium Data Security Center maps the 443 port to an internal port. - Configure TLS - Universal Connector to Datasource:
- Download the SSL certificate (
UC certificate authority
) from IBM IBM Guardium Data Security Center and upload it to the datasource server. - Copy the location of the downloaded certificate and enter it as the certificate
authority.
# List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["/etc/pki/ca-trust/GuardiumInsightsCA.pem"]
Summary:tags: ["any-mongodb"] output.logstash: # The Logstash hosts hosts: ["<hostname-URL>:443"] # List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["<path-to-UC-CA>/GuardiumInsightsCA.pem"]
- Download the SSL certificate (
Restart Filebeat to apply the changes.
For Linux, run the following command:
For Windows, restart in the Services window.sudo service filebeat restart
TCP input plug-in configuration
- Download the create_certificates.sh script to the data source server.
- Change the file permissions so the script can
run:
chmod +x create_certificates.sh
- Run the script with 2 arguments: Enter the first argument as the path where the certificates are
stored and the
hostname.
for example,./create_certificates.sh <PATH TO STORE> <DATASOURCE SERVER DNS>
./create_certificates.sh /path/to/store datasource.server.dns.com
- Copy
filebeatCA.crt
to your local system.
Syslog input plug-in configuration
To make the Logstash able to process the data collected by syslogs, configure the available syslog utility.
Prerequisite
systemctl status rsyslog
For more information on installing syslog on
Ubuntu, see Install rsyslog on Ubuntu. For more information on RHEL, see Install rsyslog on
RHEL/CENTOS.- Generate a certificate authority (CA) by creating a file with name mongo_syslog.conf in the /etc/rsyslog.d/ directory.
- Copy the following code snippet in the file that is created in the previous step and change the
values of target and port.
This configuration reads the logs from the MongoDB log directory path and sends the syslog messages to the provided host (target_host) at the provided port (target_port).global(DefaultNetstreamDriverCAFile="/path/to/ca_file/ca.pem") # The template for message formatting $template UcMessageFormat,"%HOSTNAME%,<SERVER_IP>,%msg%" module(load="imfile") ruleset(name="imfile_to_gdp") { action(type="omfwd" protocol="tcp" StreamDriver="gtls"StreamDriverMode="1" StreamDriverAuthMode="x509/certvalid" template="UcMessageFormat" target="<target_host>" port="<target_port>") } input( type="imfile" file="/path/to/logs/directory/auditLog.json" # Keep the value of tag below as same as here, tag="syslog" ruleset="imfile_to_gdp" )
Note: For the configuration requirements that are specific to Guardium Data Security Center environment, follow the instructions from TCP input plug-in configuration topic. - Include this file in the main rsyslog configurations file and open the file from /etc/rsyslog.conf path.
- Append the following line at the end of the
file.
$IncludeConfig /etc/rsyslog.d/mongo_syslog.conf
-
Restart the rsyslog utility by using the following command.
systemctl restart