Nasuni File Services

This pack supports Syslog-based log ingestion from Nasuni File Services and includes parsing and modeling rules (XDM mapping) for Cortex XSIAM.

Supported Event types

Volume audit logs.

Log in to the Nasuni Management Console (NMC) with admin rights.
Go to: Volumes.
For each relevant volume:
- Ensure File System Auditing is enabled.
- Set Output Type to Syslog.
Go to: Filers > Syslog Export Settings.
Select the Edge Appliance(s) and click Edit Filers.
In the Servers text box enter the IP or Hostname of your Broker VM in the following format - IP:port (example - <your-broker-ip>:<port>).
If no port is specified it will default to UDP 514 (the system support log forwarding via UDP only).
Set the following settings:
- Send Auditing Messages: On.
- Facility: local1 (recommended).
- Log Level: Info or higher.
Click Save Settings.

Nasuni audit logs are sent in RFC 5424 syslog format with a JSON payload.

In order to use the collector, use the Broker VM option.

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

Navigate to Settings > Configuration > Data Broker > Broker VMs.
Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
Click Add New.
When configuring the Syslog Collector, set the following values (not relevant for CEF and LEEF formats):
-----------------------------------------------------------------------------------------------------------------------------------------------------------
| Parameter: : | Value : |
|-------------------------|-------------------------------------------------------------------------------------------------------------------------------|
| Protocol | Select UDP |
| Port | Enter the port that Cortex XSIAM Broker VM should listen on for receiving forwarded events from NMC |
| Vendor | Enter nasuni |
| Product | Enter file_services |