S3 Log Storage

My OPSWAT Central Management offers an SIEM (Security Information Event Management) integration that can be found under Settings > Integrations > SIEM Integration.

When enabled, My OPSWAT Central Management utilizes the established S3 buckets through AWS (set up by the administrator) for log storage to collect analytical data about the associated account and to alert the administrators about any triggered events selected in the integration. By using the integration, administrators can track and monitor any patterns of activity that can become a potential threat to their infrastructure.

Setting up the integration

To set up the SIEM integration, administrators should proceed with the following steps:

  • Log into My OPSWAT Central Management. Navigate to Settings > Integrations > SIEM Integration.
  • Select Enable Log Storage.
  • Fill in the required fields based on the associated AWS account (For more information on setting this up, please review here).
  • Select the desired format for the logs (JSON or SYSLOG).
  • Select the events that will trigger an email notification. To save this configuration, it is required to select at least one event.
  • When completed, select Save.

Note: The sync of data between My OPSWAT Central Management and the S3 bucket is scheduled for every 5 minutes.

Receiving Logs

Once the initial setup is completed in My OPSWAT Central Management, administrators will be able to access their logs from their S3 bucket after a triggered event. From the S3 bucket, administrators can download logs for reviewal, auditing, or historical purposes. As mentioned above, the logs from triggered events come in two formats: JSON and SYSLOG. Administrators can select based on their preference as the contents remain the same.

JSON

JSON
Copy

SYSLOG

Syslog
Copy

Understanding Logs

Within these logs, there are key values that administrators can use when reviewing the data to further track down an affected device or account change.

Device

KeyData TypeDescription
timestampstringtimestamp when the event occurs
log_typestring

Log type :

  • compliant: a device was considered as compliant
  • noncompliant: a device was considered as non-compliant
  • allow_device_access: allowed device access
  • block_device_access: blocked device access
  • deleted: a device was deleted by an admin
  • added: a device was enrolled to an account
  • critical_found: a device reported critical issues
  • process_scan_infection_found: a device reported threats
  • critical_cleared: a device reported no more critical issues
  • report_no_threat: a device reported no more threats
  • exempt_all: an admin exempted a device
  • unexempt: an admin unexempted a device
  • access_granted: a device was granted temporary access to a protected app
  • access_revoked: a device was revoked a temporary access to a protected app
  • unknown_device_detected: an unknown device detected
  • unseen: device deleted by unseen setting
  • deleted_user: device uninstalled by a user
detailsstringEvent details
device_idstringID of a device that the event occurred on
device_namestringName of device that the event occurred on
device_usernamestringName of user who logged into a device when the event occurred
device_groupstringA device's group name

Account

KeyData TypeDescription
timestampstringtimestamp when the event occurs
eventstringDescription of log type
detailsstringEvent details
admin_namestringName of an admin who is related to the event
admin_emailstringEmail of an admin who is related to the event
log_typestring

Log type :

  • config: an admin changed configuration
  • logon: an admin logged on
  • logout: and admin logged off
  • license_left: Account has [x] % license(s) left
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Installation
On This Page
S3 Log StorageSetting up the integrationReceiving LogsJSONSYSLOGUnderstanding LogsDeviceAccount