Netmotion VPN
This pack supports Syslog-based log ingestion from Netmotion VPN and includes parsing and modeling rules (XDM mapping) for Cortex XSIAM.
Supported Event types
- RPC Rule
- Security Binding Rule
- Security Authenticating Rule
- IMP Rule
Configure the Netmotion VPN Side
- Log in to the NetMotion Mobility console as an administrator.
- Navigate to Configure > Server Settings.
- In the left pane, select one of the following options:
- For all servers, select Global Server Settings.
- For a specific server, select the specific server name.
- Enable Syslog forwarding.
a. Select Syslog – On / Off and check Turn syslog event logging on.
b. Set Syslog – Server Host to your Broker VM’s IP/hostname.
c. (Optional) Modify Syslog – Server Port (default is UDP 514). - Save the settings.
Collect Events from Netmotion VPM
In order to use the collector, use the Broker VM option.
Configure the Broker VM side
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
Navigate to Settings > Configuration > Data Broker > Broker VMs.
Go to the apps tab and add the Syslog app. If it already exists, click the Syslog app and then click Configure.
Click Add New.
When configuring the Syslog Collector, set the following values (not relevant for CEF and LEEF formats)
Parameter: : Value : Protocol
Select UDP or TCP. Port
Enter the port that Cortex XSIAM Broker VM should listen on for receiving forwarded events. Vendor
Enter netmotion
.Product
Enter vpn
.