SecureTrack Integration with SIM/SIEM Systems

SecureTrack can be configured to send syslog notifications for specific events. These syslog messages can be collected by SIM/SIEM systems and further processed there.
All syslog messages are generated with priority 5, which has:

  • severity level 5 - normal but significant condition
  • facility 0 - kernel message

You must first configure the SecureTrack server to send the messages.

SNMP Messages

New revision saved

Description

New revision received from a monitored device as a result of a "save" operation on the device

Syslog format

<5>Policy Saved: revision <revisionID> on <DeviceName> by <AdministratorName>

Sample syslog

<5>Policy Saved: revision 166 on FW1-Northwest by Daniel Zimer

Notes

Also available using SNMP Trap

New revision installed

Description

New revision received from a monitored device as a result of an "install" operation on the device

Syslog format

<5>Policy Saved: revision <revisionID> on <DeviceName> by <AdministratorName>

Sample syslog

<5>Policy Saved: revision 166 on FW1-Northwest by Daniel Zimer

Notes

Also available using SNMP Trap

New revision fetched by automatic polling

Description

New revision received from a monitored device as a result of scheduled polling of the device

Syslog format

<5> Automatic Policy Fetched: <revisionID> on <DeviceName>

Sample syslog

<5>Automatic Policy Fetched: revision 8 on Cisco_2801

Notes

Also available using SNMP Trap

New revision violates compliance policy

Description

New revision received as a result of a violation of one of the defined compliance policies (Available from version 6.1)

Syslog format

<5>Compliance policy < Compliance policy name> is violated by revision xxx, for policy package yyy, device zzz. Changed by <admin>.

Sample syslog

<5>Compliance policy 'Unauthorized access to internal LAN' is violated by revision '17', for policy package 'Standard', device 'Check Point perimeter'. Changed by 'Alex'.

Notes

None

Device connectivity change status

Description

Device connectivity with SecureTrack has changed

Syslog format

<5> Tufin SecureTrack, Server <SecureTrack ServerName>(<SecureTrack ServerID>):<DeviceName> <DeviceIP> (<DeviceID>):<new status>

Sample syslog

<5> Tufin SecureTrack, Server securetrack(1):Cisco_2801 192.168.1.50 (18):'Wrong arguments'

Notes

Possible values for 'new status':

For Check Point:

  • LEA session
  • LEA session was closed
  • Failed getting LEA Server DN
  • CPMI session established
  • CPMI server unavailable
  • Failed getting CPMI Server DN

For Cisco, Juniper, Fortinet (ssh)

  • ssh session established
  • Wrong arguments
  • ssh Host key mismatch
  • Connection timeout
  • Connection error
  • Wrong password
  • Unknown error
  • Wrong Enable password
  • Unsupported command
  • Authorization error! Insufficient permissions
  • Invalid virtual context name
  • No virtual domains on device
  • Virtual domain does not exist
  • ssh Failed
  • telnet session established
  • telnet Failed

License status change

Description

License status has changed

Syslog format

<5> Tufin SecureTrack, Server <SecureTrack ServerName>(<SecureTrack ServerID>):<DeviceName> <DeviceIP> (<DeviceID>):<new status>

Sample syslog

<5> Tufin SecureTrack, Server securetrack(1):Cisco_2801 192.168.1.50 (18):'expired'

Notes

Possible values for 'new status':

  • valid
  • no license
  • evaluation
  • expired
  • not valid yet
  • time sync
  • plug and play

Disk Usage on SecureTrack server – status change

Description

Disk usage status has changed

Syslog format

<5> Tufin SecureTrack, Server <SecureTrack ServerName>(<SecureTrack ServerID>):<DeviceName> <DeviceIP> (<DeviceID>):<new status>

Sample syslog

<5> Tufin SecureTrack, Server securetrack(1):Cisco_2801 192.168.1.50 (18):'Disk usage is OK'

Notes

Possible values for 'new status':

  • Disk usage status is OK
  • Disk space is low, Disk Usage above 80%
  • Disk space is low, Disk Usage above 90%. Rule usage data collection will be disabled
  • Disk space is low, Disk Usage above 95%. SecureTrack will stop monitoring devices

SecureTrack main process – status change

Description

The SecureTrack process has started or stopped

Syslog format

<5> Tufin SecureTrack, Server <SecureTrack ServerName>(<SecureTrack ServerID>):<DeviceName> <DeviceIP> (<DeviceID>):<new status>

Sample syslog

<5> Tufin SecureTrack, Server securetrack(1):Cisco_2801 192.168.1.50 (18):'SecureTrack process is down'

Notes

Possible values for 'new status':

  • SecureTrack process is down
  • SecureTrack process is running

High Availability failover

Description

Failover event occurred (in High Availability deployment only)

Syslog format

<5> Tufin SecureTrack, Server <SecureTrack ServerName>(<SecureTrack ServerID>):<DeviceName> <DeviceIP> (<DeviceID>):<new status>

Sample syslog

<5> Tufin SecureTrack, Server securetrack(1):Cisco_2801 192.168.1.50 (18):'HA configuration failover'

Notes

Possible values for 'new status':

  • HA configuration failover

Database replication error

Description

An error occurred in the database replication between high availability servers (in High Availability deployment only)

Syslog format

<5> Tufin SecureTrack, Server <SecureTrack ServerName>(<SecureTrack ServerID>):<DeviceName> <DeviceIP> (<DeviceID>):<new status>

Sample syslog

<5> Tufin SecureTrack, Server securetrack(1):Cisco_2801 192.168.1.50 (18):'Database replication problem'

Notes

Possible values for 'new status':

  • Database replication problem

Rule usage collection – status has changed

Description

This is an explicit alert on start/stop of rule usage data collection for a device. When rule usage collection is stopped due to an error, it is important to know and react to it. If not corrected, users see low or zero usage for certain rules/objects when in fact there were hits that SecureTrack did not record.

Syslog format

<5> Tufin SecureTrack, Server <SecureTrack ServerName>(<SecureTrack ServerID>):<DeviceName> <DeviceIP> (<DeviceID>):<new status>

Sample syslog

<5> Tufin SecureTrack, Server securetrack(1):Cisco_2801 192.168.1.50 (18):'Rule usage is being collected'

Notes

Possible values for 'new status':

  • Rule usage is being collected
  • Rule usage is not being collected