An event destination is where Change Guardian sends incoming events for a particular policy. You can view information about access and changes to critical files, systems, and applications. It is also where you deploy alert rules to notify you of those changes.
A policy must have at least one event destination. When you create a policy, it automatically uses the default event destination which is the Change Guardian server. You can also assign the policy to the syslog server or a third-party security information and event management (SIEM) tool.
You can create and assign additional event destinations to meet your environment and regulatory needs. You can also change the default event destination. If you set another event destination as the default, all new policies automatically use the new default location. Existing policies continue to use their previously assigned event destinations. To change the event destinations for existing policies, see Assigning Event Destinations.
If your environment has multiple event destinations, and the default event destination is FIPS-enabled, some additional configuration steps are required. For more information, see Configuring Event Destinations to Generate Alerts.
You can configure Change Guardian agents to send events to Sentinel, to leverage Sentinel capabilities. Starting with Sentinel 8.2, you can use the HTTP Server Connector and distribute Change Guardian assets across multiple Sentinel Collector Managers and multiple Event Source Servers to scale data collection. For information about the HTTP Server Connector, see the Connector documentation on the Sentinel Plug-ins Website. For information about Sentinel, see Sentinel Documentation.
Following sections provide information about creating event destinations.
Change Guardian evaluates the event routing rules on a first-match basis in top-down order and applies the first matched event routing rule to events that match the filter criteria. You can configure event routing rules to evaluate and filter all incoming events and deliver selected events to designated output actions. For example, each severity 5 event can be logged to a file.
You can create event destinations using one of the following models:
REST Dispatcher: Forwards Change Guardian events directly from a Change Guardian agent to the Change Guardian or Sentinel server.
NOTE:If you add an event destination, ensure that the user account associated with that destination has permissions to send events and attachments.
Syslog Dispatcher: Forwards Change Guardian events from Change Guardian agent to Change Guardian server, which in turn forwards events to third-party SIEM or syslog server.
NOTE:Change Guardian supports the Common Event Format (CEF) specification and could use Syslog Dispatcher to forward events. Related event attributes might contain additional backslash (\) characters to escape the following characters: \, =, and | and allow the event to conform to CEF. To remove them, parse the events with a CEF parser.
To create an event destination:
Log in to the web console, click CONFIGURATION > Events > Event Destinations.
Click Add.
Specify a unique name for the event destination.
Specify one of the event destination models.
Provide system information of the server where you want to send events.
For Sentinel, if you have deployed remote Collector Managers to receive events from Change Guardian agents, specify the IP address of the Collector Manager and port number of the Event Source Server. Otherwise, specify the IP address and port number of the Sentinel server.
NOTE:While changing the event destination, ensure that the new destination server is running on FIPS mode, if the Change Guardian server runs on FIPS mode.
(Optional) If you want to send Change Guardian system events that only match specific criteria, select the check box above the filter drop-down list, and provide filter criteria.
NOTE:The filter is applied to all event destinations configured on the server.
Change Guardian uses the Lucene query language for filtering events. For more information, see Apache Lucene - Query Parser Syntax.
Click OK.
NOTE:If more than one event destinations are configured on a Change Guardian server, specifying one event destination while creating a policy ignores the specified destination and sends events to all the configured event destination.
For Sentinel, if you have deployed Collector Managers to receive events from Change Guardian agents, you must create an event destination for each Event Source Server.
When you create a policy, it automatically uses the default event destination. If you want to send event data to another destination, add an event destination to the policy (or policy set). The new event destination can be either in addition to or instead of the default event destination. The updated event destination setting takes effect at the next heartbeat interval, when the agent reads the updated policy information.
To assign:
Log in to the web console, click CONFIGURATION > Policies > Assign Policies
Select Agents or Agent Groups and click the edit icon under Assign Unassign option.
Select a policy set or policies to enable the Event Destinations option.
Once it is enabled, click Event Destinations.
Select a policy from the drop-down list and assign one or more event destinations.
Click SAVE and APPLY.
NOTE:Policies that are a part of a policy set are not shown in the Policies tab. They are available under Policy Sets and contain the properties of the set. If the set is assigned with additional destination, it reflects after an upgrade. If the policy is assigned with an additional destination before moving to the set, it is not retained post upgrade. Since the policy is no longer available under Policies, it cannot be assigned separately to any destination.