Ivanti Pulse Secure VTM
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure the Virtual Traffic Manager (VTM) to forward Syslog messages.
Open the VTM UI;
For forwarding Event logs:
- Click the System tab and click Alerting.
- In the Alert Mappings section, make sure Audit Events are kept in Syslog (action).
- Click the Global Settings tab and click Logging.
- Mark the Whether to mirror the audit log to EventID checkbox as Yes.
- Under the Apply Changes section, click Update.
Setup for forwarding requests logging per Virtual Server (VS):
- Click the Services tab, and under Virtual Servers, select a VS.
- Click the Request Logging section for the relevant VS.
- Under Remote Request Logging, make sure to preform the following;
3.1. Mark the checkbox for syslog!enabled as Yes.
3.2. In the syslog!ipendpoint section, fill the remote IP and Port of your syslog collector.
3.3. In the syslog!msg_len_ limit section, set the limit for a syslog message to 2048.
3.4. In the syslog!format section, set the relevant syslog format.- For HTTPS, traffic inspection based VSs, select the Simple connection log format.
- For HTTP, traffic inspection based VSs, select the custom format, input-
bash %t|%T|%h|%m %U|%{Content-Type}o|%s|%u|%b|%{Cookie}i|%{Referer}i|%{User-Agent}i
- In the Apply Changes section, click Update.
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Right-click, and select Syslog Collector > Configure.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - ivanti
- product as product - vtm