What is the best way to export in almost real-time the audit events from Delphix to SIEM such as ArcSight ?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
We have the security requirements to export in near real time all the operations performed on Delphix. I know that audit records are kept inside the product but the requirements clearly states that audit events must be exported as they are created.

My questions are as follow:
1) Is there a way to tell Delphix to send syslog messages to a remote destination ?
2) If syslog is not supported, what is my best bet to accomplish this task in near real time (+- 120 sec) ?
3) Is there a list of all possible "events" that Delphix can generate ? This is kind of a requirement that is hard to bypass if I have to write a parser to get it in ArcSight's format
4) For the displayed audit info already in the product, where is it located  and in which format ? Could I connect to that ?

Thanks
Dany
Photo of Dany Cossette

Dany Cossette

  • 80 Points 75 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Viral Shah

Viral Shah, Employee

  • 232 Points 100 badge 2x thumb
Official Response
Dany,

Audit information can be captured thru Syslog framework in our next major release which is scheduled in Q1 of this year. Leveraging Syslog functionality would be the most elegant and easy to implement route. Depending on your Security team requirement, you can dump or filter the relevant audit info using various 3rd party tools.

In the current DE 4.2 release, audit information is displayed thru GUI under Systems->Event Viewer option. Alternatively, you can leverage CLI framework to get the relevant info :

LandsharkEngine >cd action

LandsharkEngine action> ls

REFERENCE    USER           STARTTIME                 DETAILS                                                                 
ACTION-1212  delphix_admin  2015-02-09T19:53:03.410Z  Log in as user "delphix_admin" from IP "127.0.0.1".
...
....
ACTION-1206  -              2015-02-09T03:00:00.519Z  Run SnapSync for database "Dev-AgileMasking".
ACTION-1205  -              2015-02-09T03:00:00.052Z  Run SnapSync for database "QA-WebDB".
ACTION-1204  delphix_admin  2015-02-08T20:52:32.765Z  Log out user "delphix_admin".
ACTION-1203  delphix_admin  2015-02-08T20:44:23.081Z  Log in as user "delphix_admin" from IP "172.16.180.1".
ACTION-1202  -              2015-02-08T20:44:16.297Z  Failed attempt to log in as user "delphix_admin" from IP "172.16.180.1".
ACTION-1201  -              2015-02-08T08:30:01.831Z  Run SnapSync for database "Employee Oracle DB".
ACTION-1200  -              2015-02-08T08:30:01.000Z  Run SnapSync for database "Agile Masking".
ACTION-1199  -              2015-02-08T08:30:00.068Z  Run SnapSync for database "Employee Web Application".
ACTION-1198  delphix_admin  2015-02-08T08:06:26.490Z  Log in as user "delphix_admin" from IP "127.0.0.1".
ACTION-1197  delphix_admin  2015-02-08T07:50:04.285Z  Stop database source "Test".
ACTION-1196  delphix_admin  2015-02-08T07:50:00.149Z  Delete database "Test".
ACTION-1195  delphix_admin  2015-02-08T07:48:26.396Z  Log out user "delphix_admin".
ACTION-1194  delphix_admin  2015-02-08T07:48:15.735Z  Run SnapSync for database "Test".
ACTION-1193  delphix_admin  2015-02-08T07:45:00.839Z  Provision virtual database "Test".
ACTION-1192  delphix_admin  2015-02-08T07:44:59.067Z  Log in as user "delphix_admin" from IP "127.0.0.1".
ACTION-1191  delphix_admin  2015-02-08T07:44:44.347Z  Log out user "delphix_admin".
ACTION-1190  delphix_admin  2015-02-08T07:44:43.066Z  Log in as user "delphix_admin" from IP "127.0.0.1".
ACTION-1189  delphix_admin  2015-02-08T07:44:21.279Z  Log out user "delphix_admin".
ACTION-1188  delphix_admin  2015-02-08T07:44:20.147Z  Log in as user "delphix_admin" from IP "127.0.0.1".

One can massage this information using programming capability(e.g. perl/python) depending on your requirement.

Hope this helps.

-Viral Shah
Technical Manager, Customer Services