When a security event is generated from one of your devices, the event information including relevant forensics are uploaded into your zConsole. This data can be pulled down to your environment and placed in a directory that your SIEM system polls for data import. The data is presented in JSON format, which provides an easy way for any SIEM system to be able to digest the event and associated forensics.
The Syslog Pull Module (SPM) is a bash script which runs cURL commands to access your Zimperium zConsole information securely. The output of the cURL command are your security events in JSON format. This cURL output is stored directly into a file.
The SPM should be run in crontab to pull events. It is important to note the following:
- The SPM automatically generates a new file for each request to the zConsole server.
- The SPM cleans up old files (configured currently to clean up files older than a week).
- Requests are made over HTTPS.
To pull these events down to your environment so that they can be imported in to your SIEM server, Zimperium Support needs to perform a one-time configuration and provide you with security parameters required. Please open a ticket at support.zimperium.com for these details
Once you receive these details, please enter these details in one of the following sample scripts to create your SPM script (sample scripts attached),
- Linux/Unix operating system - SIEM system supporting syslog format
- Linux/Unix operating system - SIEM system supporting non-syslog format (JSON only)
- Windows operating system - SIEM system supporting syslog format
For more details on the script and options for changing the density of logging (Verbose vs. Concise), Severity of Threats reported (Normal, Low, Elevated, Critical) please refer zConsole-SIEM Integration guide