Connecting to data source by using Universal Connector

Configure the connection to the data sources by using Universal Connector.

Open the main menu by clicking the main menu icon. After opening the menu, click Configurations > Connections > Monitored data sources. From the Connections page, click Create connection and select a data source. Then, select the Connection method as Universal Connector and complete the following steps:
Important: To create the universal connector using an edge gateway, click Add edge gateway. For more information, see Setting up an edge gateway. If you have set up the edge gateway, then select Edge gateway and then choose the edge gateway in which you need to configure the universal connector.
  1. Read the Additional information and click Configure.
  2. Enter a name and description for the connection that you want to create and click Next.
  3. In the Build pipeline, select the Input plugin and Filter plugin, then click Next.
  4. In the Additional info fields, enter the applicable information from JDBC, Filebeat, or CloudWatch input plug-in configuration sections.

JDBC input plug-in configuration

In the Additional info page, specify the following details for the connection you want to create:
Table 1. JDBC input plug-in configuration parameters
Parameters Description
Connection string Enter the JDBC connection string. For example:
jdbc:sqlserver://<server_name>:<port_number>;databaseName=<database_name>
Note: Do not enter the database username and password in the connection string.
Statement The statement setting determines which audit tables the SELECT query calls for the audit logs. In the Guardium UI, the Statement* is divided into three parts to enhance clarity and ease of use: SELECT for choosing columns, FROM for specifying tables, and WHERE for adding filter conditions.
JDBC user Enter the username that you want to connect to the database with access to the audit tables to be queried.
Password Enter the password for the JDBC user.
More parameters that are specific to certain data sources:
Table 2. More parameters
Paramaters Description
Account ID AWS account ID. For more information, see Using an alias for your AWS account ID.
Enrollment ID Used for an AzureSQL connection. For more information, see Finding Enrollment ID topic.
Server name Enter the hostname of the database server.

Filebeat input plug-in configuration

On the data source server, create a certificate authority and certificate for Filebeat. These certificates are used later to establish secured connections between the data source server and the Universal Connector.
  1. Download the create_certificates.sh script to the data source server.
  2. Change the file permissions so the script can run:

    chmod +x create_certificates.sh
  3. Run the script with 2 arguments: Enter the first argument as the path where the certificates are stored and the hostname.
    ./create_certificates.sh <PATH TO STORE> <DATASOURCE SERVER DNS>
    for example,
    ./create_certificates.sh /path/to/store datasource.server.dns.com
  4. Copy filebeatCA.crt to your local system.

Configuring a Filebeat connection

Prerequisite

Connect to a data source by flowing the procedure on Connecting to data sources page.
  1. Select the data source as MongoDB.
  2. Select On-premises as the data source environment type.
  3. Select Filebeat as the input plug-in.
Complete the following procedure to configure a Filebeat connection:
  1. In the Additional info page, enter the Data source tag and click Configure.

    This tag uniquely identifies the incoming Filebeat stream. It is later added to the Filebeat configuration so that the Filebeat can tag every event with this tag. For example, specify any-mongodb in this field.

  2. Click Upload certificates authorities and select the filebeatCA.crt authority that is created in the Filebeat input plug-in configuration section.

    You can specify multiple authorities from your local system. An event can only be processed by the universal connection if one of the designated authorities signs its certificate..

  3. Click Configure.
  4. In the Configuration notes page, click Download certificate to download the UC certificate authority to your local system. Copy the certificate to the data source (it is later added to the Filebeat configuration). All data sources of any one specific type use the same certificate.
  5. Click Done.
  6. To configure the data source to communicate with Guardium Data Security Center, follow the instructions from the Configuring Filebeat to forward audit logs to Guardium section.

    Copy the hostname in the Configuration Notes to configure the host in the filebeat.yml file on your data source.

  7. Persistent queue is disabled by default in the Universal Connector and must be enabled manually. Persistent queue can be enabled only for Filebeat and it can cause the universal connector to work more slowly. To enable the queue, click Settings > Global settings > Connection settings and then click Universal connector: enable persistent queue.

CloudWatch input plug-in configuration

In the Additional info page, specify the details of the connection you want to create:
Table 3. CloudWatch input plug-in configuration parameters
Parameters Description
AWS Role ARN Generate temporary credentials, typically for cross-account access For more information, see the AssumeRole API documentation.
AWS access key ID and AWS secret access key AWS user account access key and the secret access key. For more information, see Configure tool authentication with AWS.
AWS account region Region of the AWS account. For example, "us-east-1"
Event filter Specify the filters to search for resources. For example, for filtering an S3 events based on bucket name:
'{$ .eventSource = "s3.amazonaws.com" && $ .requestParameters.bucketName = "give bucket
      name"}'
.
Account ID AWS account ID. For more information, see Configure tool authentication with AWS topic.
CloudWatch Log Group name

Specify the log group that is created for your data instance.

For example,

/aws/rds/instance/any_instance/any_log_group

Tip: Use SQS due to the possibility of CloudWatch reporting event multiple times for the plug-ins that are configured for IBM Guardium Data Security Center SaaS.

Azure Event Hubs input plug-in configuration

In the Additional info page, specify the details of the connection you want to create:
Table 4. Azure Event Hubs input plug-in configuration parameters
Parameters Description
Event hub connections Specify the list of connection strings that identifies the Event Hubs to be read. Connection strings include the EntityPath for the Event Hub.
Enrollment ID Azure enrollment ID. A unique subscription identifier for billing and resource management.

Configuring Filebeat to forward audit logs to Guardium

prerequisites: Complete the steps from Configuring Filebeat to forward audit logs to Guardium section.

  1. Open the filebeat.yml file. Search the file at path: /etc/filebeat/filebeat.yml.
  2. Locate the tags section and enter the data source tag. For example, tags: ["any-mongodb"].
  3. Locate the output.logstash section and add an entry for IBM IBM Guardium Data Security Center SaaS. For example,
    # The Logstash hosts
    hosts: ["<hostname-URL>:443"]
    Note: In IBM Guardium Data Security Center SaaS, whenever you use the plug-ins that are based on Filebeat as a data shipper, the configured port must be 443. Guardium Data Security Center maps the 443 port to an internal port.
  4. Configure TLS - Universal Connector to Datasource:
    1. Download the SSL certificate (UC certificate authority) from IBM IBM Guardium Data Security Center SaaS and upload it to the datasource server.
    2. Copy the location of the downloaded certificate and enter it as the certificate authority.
      # List of root certificates for HTTPS server verifications
      ssl.certificate_authorities: ["/etc/pki/ca-trust/GuardiumInsightsCA.pem"]
      Summary:
      tags: ["any-mongodb"]
      
      output.logstash:
        # The Logstash hosts
        hosts: ["<hostname-URL>:443"]
        # List of root certificates for HTTPS server verifications
        ssl.certificate_authorities: ["<path-to-UC-CA>/GuardiumInsightsCA.pem"]
  5. Restart Filebeat to apply the changes.

    For Linux, run the following command:
    sudo service filebeat restart
    For Windows, restart in the Services window.

TCP input plug-in configuration

To enable a secure connection with Syslog on the data source server, create a certificate authority and certificate as follows
  1. Download the create_certificates.sh script to the data source server.
  2. Change the file permissions so the script can run:
    chmod +x create_certificates.sh
  3. Run the script with 2 arguments: Enter the first argument as the path where the certificates are stored and the hostname.
    ./create_certificates.sh <PATH TO STORE> <DATASOURCE SERVER DNS>
    for example,
    ./create_certificates.sh /path/to/store datasource.server.dns.com
  4. Copy filebeatCA.crt to your local system.

Syslog input plug-in configuration

To make the Logstash able to process the data collected by syslogs, configure the available syslog utility.

Prerequisite

Verify that the service is active and running by using the following command:
systemctl status rsyslog
For more information on installing syslog on Ubuntu, see Install rsyslog on Ubuntu. For more information on RHEL, see Install rsyslog on RHEL/CENTOS.
  1. Generate a certificate authority (CA) by creating a file with name mongo_syslog.conf in the /etc/rsyslog.d/ directory.
  2. Copy the following code snippet in the file that is created in the previous step and change the values of target and port.
    global(DefaultNetstreamDriverCAFile="/path/to/ca_file/ca.pem")
    # The template for message formatting
    $template UcMessageFormat,"%HOSTNAME%,<SERVER_IP>,%msg%"
    module(load="imfile")
    ruleset(name="imfile_to_gdp") {
    action(type="omfwd"
    protocol="tcp"
    StreamDriver="gtls"StreamDriverMode="1"
    StreamDriverAuthMode="x509/certvalid"
    template="UcMessageFormat"
    target="<target_host>"
    port="<target_port>")
    }
    input(
    type="imfile"
    file="/path/to/logs/directory/auditLog.json"
    # Keep the value of tag below as same as here,
    tag="syslog"
    ruleset="imfile_to_gdp"
    )
    This configuration reads the logs from the MongoDB log directory path and sends the syslog messages to the provided host (target_host) at the provided port (target_port).
    Note: For the configuration requirements that are specific to Guardium Data Security Center SaaS environment, follow the instructions from TCP input plug-in configuration topic.
  3. Include this file in the main rsyslog configurations file and open the file from /etc/rsyslog.conf path.
  4. Append the following line at the end of the file.
    $IncludeConfig /etc/rsyslog.d/mongo_syslog.conf
  5. Restart the rsyslog utility by using the following command.
    systemctl restart