Integrate with Kiwi Syslog Server

In this topic, you will learn how to send Portnox™ Cloud alerts to on-premises SolarWinds Kiwi Syslog Server.

Important:
Portnox Cloud can send alerts to your on-premises SIEM in one of two ways: by using an on-premises portnox-siem Docker container, or by using on-premises LDAP Broker. We recommend using the Docker image, unless you already use LDAP Broker to integrate with your on-premises Active Directory authentication repository or OpenLDAP repository. Complete the first section of this topic and then choose either the second or the third section, depending on whether you use Docker or LDAP Broker.

Before you start, download and install Kiwi Syslog Server Free Edition on a physical or virtual machine.

Note:
These instructions can be easily adjusted for any other on-premises syslog listener. The configuration on the Portnox side remains the same; you just need to know how to set up your listener to accept syslog data on a local IP address using TCP port 514.

Configure Kiwi Syslog Server

In this section, you will configure the Kiwi Syslog Server to accept syslog data from Portnox Cloud.

  1. In the Kiwi Syslog Server Manager window, select the File > Setup option.

  2. In the Kiwi Syslog Server Setup window, select the Inputs > TCP option, and in the right-hand side pane, configure the following:

    1. Activate the Listen for TCP Syslog messages checkbox.
    2. In the TCP Port (1-65535) field, enter 514.
    3. Optional: In the Bind to address field, enter the IP address that you want to bind to, for example, the interface address in the same subnet as the LDAP Broker machine.
  3. Optional: If you’re using the free version of Kiwi Syslog Server, in the Kiwi Syslog Server Setup window, select the Inputs option, and in the right-hand side pane, in the Receive messages from below IP addresses section, add the IP address of the LDAP Broker machine.

Configure Portnox Cloud with the portnox-siem Docker container

In this section, you will learn how to configure Portnox™ Cloud to send alert data to the on-premises portnox-siem Docker container and then forward them to the on-premises Kiwi Syslog Server.

Note:
Complete this section only if you want to forward alert data via the portnox-siem Docker container. Skip this section if you want to forward alert data via LDAP Broker.
Note:
Before you start, install Docker on a local machine (physical or virtual) in the same subnet as your on-premises Kiwi installation. For more information about installing Docker, see our guides for using Docker with Portnox local RADIUS servers: Install Docker for Linux or Install Docker Desktop for Windows.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.

  3. Create a new SIEM integration.
    1. In the SIEM integration service section, click on the Add new SIEM link.

      The NEW SIEM INTEGRATION section opens.

    2. In the Type field, select the Custom option.

    3. In the Name field, enter the name for the new integration.

      In this example, we used the name Kiwi but you can use any name you like.

    4. In the Status field, select the Enabled option.

    5. In the Protocol type field, select the Syslog over TCP option.

    6. In the IP field, enter the private IP address of the machine where Kiwi Syslog Server is installed.

    7. In the Port field, type 514.

    8. In the Communication method field, select the Via Docker image: portnox-siem option.

    9. In the Data format field, select the CEF option.

    10. Click on the Save button to add the integration.

    11. In your list of SIEM integrations, click on the Edit button in the row representing the configuration that you just created.

    12. Click on the Copy command link under the Via Docker image: portnox-siem option.

    13. Paste the command in your shell or command line window on the machine where you installed Docker.
      Note:
      If you’re using Docker with Windows, replace the \ characters at the end of each line with ^ characters or remove the \ characters and paste the entire command as a single line.
      Note:
      To automatically update the SIEM integration Docker container, deploy the portnox-autoupdate container, as instructed in the following topic: Automatic updates for all Docker containers.
    14. Optional: Click on the Test button in the row representing the configuration that you just created.

      Result: You will see the following information in this row: Docker image: Active.

  4. Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
    Note:
    To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

    You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: Kiwi Syslog Server is receiving alerts from Portnox Cloud via the portnox-siem Docker container.

Configure Portnox Cloud with LDAP Broker

In this section, you will learn how to configure Portnox™ Cloud to send alert data to LDAP Broker and then forward them to the on-premises Kiwi Syslog Server.

Note:
Complete this section only if you want to forward alert data via LDAP Broker. Skip this section if you want to forward alert data via the portnox-siem Docker container.
  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.

  3. Create a new SIEM integration.
    1. In the SIEM integration service section, click on the Add new SIEM link.

      The NEW SIEM INTEGRATION section opens.

    2. In the Type field, select the Custom option.

    3. In the Name field, enter the name for the new integration.

      In this example, we used the name Kiwi but you can use any name you like.

    4. In the Status field, select the Enabled option.

    5. In the Protocol type field, select the Syslog over TCP option.

    6. In the IP field, enter the private IP address of the machine where Kiwi Syslog Server is installed.

    7. In the Port field, type 514.

    8. In the Communication method field, select the Via Portnox Cloud Directory Broker option.

    9. In the Data format field, select the CEF option.

    10. Click on the Save button to add the integration.

  4. Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
    Note:
    To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

    You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: Kiwi Syslog Server is receiving alerts from Portnox Cloud via LDAP Broker.