Fortinet black logo

External Systems Configuration Guide

Alicide.io KAudit

Alcide.io KAudit

Integration Points

Protocol Information Collected Used For
Syslog Audit logs Security and Compliance Monitoring

Event Types

Go to RESOURCES > Event Types and search "AlcideKAudit" in the main content panel Search... field.

Configuration

Configuring Alcide.io to Send Logs

Follow the steps listed here to send syslog to FortiSIEM.

  1. In the target section of the ConfigMap, set the following:
    1. Target-type = syslog
    2. Syslog host = <fortisiem.host.com>
    3. Syslog port = 514
    4. Syslog-tcp = false
Configuring FortiSIEM to Receive Logs

No configuration is needed. FortiSIEM can automatically detect and parse Alcide.io logs based on the built in parser.

Sample Log

<109>Feb 28 07:09:18 AlcideKAudit: {"category":"anomaly","cluster":"devel","etype":"cluster","reasons":[{"values":{"high":[1]},"doc":"change in count of unique unusual URIs in read access attempts","period":180000,"direction":"read"}],"time":1582873380000,"short-doc":"change in targets of access attempts","project":"alcide-rnd","context":{"unusual-uri":["LHUt"]},"period":180000,"eid":"cluster","confidence":"high","doc":"unusual change in count of unique unusual URIs in access attempts","direction":"read"}

Alcide.io KAudit

Integration Points

Protocol Information Collected Used For
Syslog Audit logs Security and Compliance Monitoring

Event Types

Go to RESOURCES > Event Types and search "AlcideKAudit" in the main content panel Search... field.

Configuration

Configuring Alcide.io to Send Logs

Follow the steps listed here to send syslog to FortiSIEM.

  1. In the target section of the ConfigMap, set the following:
    1. Target-type = syslog
    2. Syslog host = <fortisiem.host.com>
    3. Syslog port = 514
    4. Syslog-tcp = false
Configuring FortiSIEM to Receive Logs

No configuration is needed. FortiSIEM can automatically detect and parse Alcide.io logs based on the built in parser.

Sample Log

<109>Feb 28 07:09:18 AlcideKAudit: {"category":"anomaly","cluster":"devel","etype":"cluster","reasons":[{"values":{"high":[1]},"doc":"change in count of unique unusual URIs in read access attempts","period":180000,"direction":"read"}],"time":1582873380000,"short-doc":"change in targets of access attempts","project":"alcide-rnd","context":{"unusual-uri":["LHUt"]},"period":180000,"eid":"cluster","confidence":"high","doc":"unusual change in count of unique unusual URIs in access attempts","direction":"read"}