G DATA Business Solutions: Security Information and Event Management

SIEM (Security Information and Event Management) is a security management system that manages data from various sources.

It provides a comprehensive and centralized overview of the current security situation of an IT infrastructure. To this end, the SIEM system collects and categorizes machine data from various sources. This data is analyzed and deviating behavior in the IT infrastructure is detected. This can be done in real time at any time.

To connect your G DATA security solution to your existing SIEM system, it is necessary to configure your ManagementServer, Telegraf and your SIEM system.

G DATA Management Server configuration

First of all, it is necessary to turn on SIEM output at G DATA Management Server. Furthermore, you define here in which format (CEF or ECS) the transfer to your SIEM system should take place. The default format is CEF.

Carry out the following steps:

1.

Open the MMS configuration file

C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\config.xml

2.

Scroll to the bottom.

3.

Edit the Siem group or add it if it does not exist.

  1. Set IsSiemEnabled to true.

  2. Set TelegrafServerPort to the port 8099.

  3. Set the output format optionally to CEF (or to ECS if needed).

Example
<group name="Siem">
    <setting name="IsSiemEnabled" type="bool" value="True" />
    <setting name="TelegrafServerPort" type="int" value="8099" />
    <setting name="OutputFormat" type="string" value="CEF" />
</group>

4.

Restart the G DATA Management Server service.

Incoming configuration of Telegraf as of version 15.2.x

Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (inbound) to receive security logs from G DATA Management Server.

For CEF output, the ready configured file is already located in the directory C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf

If you have decided to use the ECS format, these instructions must be adapted accordingly.

The Telegraf.conf prepared for ECS can be found under the following directory:

C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegrafSplunkEcs.conf
Incoming configuration of Telegraf version 15.1.x

Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (inbound) to receive security logs from G DATA Management Server.

1.

Download the zip archive from this download link:
https://share.gdata.de/index.php/s/pi649ToTsq79tsN.

Unzip the zip archive. Replace the existing GData.Business.Server.Siem.dll file in the directory

C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\

with the new file from the downloaded zip archive.

2.

Download the Telegraf.conf file prepared for CEF format from the following link: https://share.gdata.de/index.php/s/BrCfZq8dtN2SjqZ.

Extract the zip archive to the directory

C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf

These instructions refer to the use of the CEF format. If you have decided to use the ECS format, these instructions must be adapted accordingly.

The Telegraf.conf prepared for ECS can be found under the following directory:

C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegrafSplunkEcs.conf

Outgoing configuration of Telegraf (Output)

Telegraf is a program for collecting, processing, summarizing and creating metrics. This guide describes how to configure Telegraf (outbound) to output security logs to your SIEM server.

Please select the required output format using the links below.

Create Telegraf service

After the telegraf.conf is configured in and out, a new service must be created.

  1. Change to the Telegraf directory:

    cd C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf
  2. Remove the default Telegraf service:

    telegraf.exe --service uninstall --service-name TelegrafGdmms --service-display-name "Telegraf (Gdmms)
  3. Create a new telegraf service using the customized telegraf.conf:

    telegraf.exe --service install --service-name telegraf-gdmms --service-display-name "Telegraf (Gdmms)" --config "C:\Program Files (x86)\G Data\G DATA AntiVirus ManagementServer\Telegraf\telegraf.conf"
  4. Restart the G DATA Management Server and the Telegraf (Gdmms) service once.