Scribd
Upload
72 views5 pages

SIEM Integration

This document provides instructions for integrating an Incapsula logs downloader script with a CentOS 8 system to retrieve logs from an Incapsula web application firewall and configure the script to run as a system service. It outlines installing dependencies like Python and OpenSSL, downloading the script, configuring API keys and log locations, and creating a systemd service unit file to automatically start the script on system boot.

Uploaded by

Sergio Bernal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
72 views5 pages

SIEM Integration

This document provides instructions for integrating an Incapsula logs downloader script with a CentOS 8 system to retrieve logs from an Incapsula web application firewall and configure the script to run as a system service. It outlines installing dependencies like Python and OpenSSL, downloading the script, configuring API keys and log locations, and creating a systemd service unit file to automatically start the script on system boot.

Uploaded by

Sergio Bernal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

SIEM integration

O.S.: CentOS 8

Dependencies

[centos@ip-10-0-0-207 ]$ sudo yum update


[centos@ip-10-0-0-207 ]$ sudo yum install python36
[centos@ip-10-0-0-207 ]$ sudo yum install gcc
[centos@ip-10-0-0-207 ]$ sudo yum install platform-python-devel. Centos 8
[centos@ip-10-0-0-207 ]$ sudo yum install python3-devel Centos 7
[centos@ip-10-0-0-207 ]$ sudo pip3 install pycrypto
[centos@ip-10-0-0-207 ]$ sudo yum install openssl-devel
[centos@ip-10-0-0-207 ]$ sudo yum install swig
[centos@ip-10-0-0-207 ]$ sudo pip3 install M2Crypto
[centos@ip-10-0-0-207 ]$ sudo pip3 install urllib3 Centos 7

Download script

[centos@ip-10-0-0-207 ]$ sudo yum install wget


[centos@ip-10-0-0-207 ]$ wget https://github.com/imperva/incapsula-logs-
downloader/archive/refs/heads/master.zip
[centos@ip-10-0-0-207 ]$ sudo yum install unzip
[centos@ip-10-0-0-207 ]$ unzip master.zip
[centos@ip-10-0-0-207 ]$ cd incapsula-logs-downloader-master/
[centos@ip-10-0-0-207 ]$ sudo vi config/Settings.Config

Script configuration

[SETTINGS]
APIID=1234
APIKEY=XXXX-XXX-4b15-b323-af3fb1245af9
SAVE_LOCALLY=YES
PROCESS_DIR= /tmp/processed/
BASEURL=https://logs1.incapsula.com/8502_1824662/
USEPROXY=NO
PROXYSERVER=
SYSLOG_ENABLE=NO
SYSLOG_ADDRESS=
SYSLOG_PORT=
SYSLOG_PROTO=TCP
USE_CUSTOM_CA_FILE=YES
CUSTOM_CA_FILE=/home/centos/incapsula-logs-downloader-master/cert/mycertfile.pem

Run the Script

[centos@ip-10-0-0-207]$ sudo python3 /home/centos/incapsula-logs-downloader-


master/script/LogsDownloader.py -c /home/centos/incapsula-logs-downloader-master/config

How to download the root CA cert (Firefox)

Click on the padlock

Click on More Information

Click on View Certificate


Click on the Root CA

Click on the PEM cert

How to create a Service

First create a shell script (startIncapsula.sh ), under /usr/bin, and contain one line below

python3 /home/centos/incapsula-logs-downloader-master/script/LogsDownloader.py -c
/home/centos/incapsula-logs-downloader-master/config
Then make a unit file called incapsula.service under /lib/systemd/system

[Unit]
Description=Incapsula WAF log download systemd service.
[Service]
Type=simple
ExecStart=/bin/bash /usr/bin/startIncapsula.sh
[Install]
WantedBy=multi-user.target

Copy this service file to /etc/system/system and make sure the mod is 644.

Start/Stop the servcie

systemctl start incapsula


systemctl stop incapsula
systemctl status incapsula

Start the service when system boots:

systemctl enable incapsula


Parameter Value

APIID Your API ID.


APIKEY Your API key.
SAVE_LOCALLY A Yes or No value that instructs Incapsula whether to maintain
the log files after they are processed. When set to No, the files
are deleted.

The default is YES.

PROCESS_DIR The directory where Incapsula automatically saves the logs after
extracting them.

The default is /tmp/processed/


BASEURL The URL of your logs repository in the Incapsula cloud. This URL
is displayed in the Incapsula Administration Console
Settings window as the Log Server URL field.
USEPROXY Specify YES to use a proxy to download the files.

The default is NO.

PROXYSERVER If you choose to use a proxy server, when you type the proxy URL,
use the <https://1.1.1.1:8080> format.
SYSLOG_ENABLE Type YES.

A Yes or No value that instructs Incapsula about whether to send


the files by using syslog.

The default is YES.

SYSLOG_ADDRESS The IP address for the SIEM


SYSLOG_PORT 514
USE_CUSTOM_CA_FILE In case the service's certificate is not in the bundle, the default is
NO.
CUSTOM_CA_FILE The file path for the custom certificate file.

You might also like