Integrate with Kiwi Syslog Server

In this topic, you will learn how to send Portnox™ Cloud alerts to on-premises SolarWinds Kiwi Syslog Server.

Before you start:

Integrate Portnox Cloud with on-premises Active Directory and install AD Broker.

AD Broker is required to send alerts to an on-premises SIEM solution. It connects with Portnox Cloud, receives log data, and forwards it to an on-premises syslog collector. Without AD Broker, the syslog collector on an internal IP would not be reachable.

Note: In an upcoming Portnox Cloud update, a Docker container with the same functionality will replace AD Broker in this setup. This will remove the need to use Active Directory as an authentication repository.
Download and install Kiwi Syslog Server Free Edition on a physical or virtual machine.

Note: These instructions can be easily adjusted for any other on-premises syslog listener. The configuration on the Portnox side remains the same; you just need to know how to set up your listener to accept syslog data on a local IP address using TCP port 514.

Configure Kiwi Syslog Server

In this section, you will configure the Kiwi Syslog Server to accept syslog data from Portnox Cloud via AD Broker.

In the Kiwi Syslog Server Manager window, select the File > Setup option.
In the Kiwi Syslog Server Setup window, select the Inputs > TCP option, and in the right-hand side pane, configure the following:
1. Activate the Listen for TCP Syslog messages checkbox.
2. In the TCP Port (1-65535) field, enter 514.
3. Optional: In the Bind to address field, enter the IP address that you want to bind to, for example, the interface address in the same subnet as the AD Broker machine.
Optional: If you’re using the free version of Kiwi Syslog Server, in the Kiwi Syslog Server Setup window, select the Inputs option, and in the right-hand side pane, in the Receive messages from below IP addresses section, add the IP address of the AD Broker machine.

Configure Portnox Cloud

In this section, you will learn how to configure Portnox™ Cloud to send alert data to AD Broker and then forward them to the on-premises Kiwi Syslog Server.

In the Cloud portal top menu, click on the Settings option.
In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.
Create a new SIEM integration.
1. In the SIEM integration service section, click on the Add new SIEM link.
  
  The NEW SIEM INTEGRATION section opens.
2. In the Type field, select the Custom option.
3. In the Name field, enter the name for the new integration.
  
  In this example, we used the name Kiwi but you can use any name you like.
4. In the Status field, select the Enabled option.
5. In the Protocol type field, select the Syslog over TCP option.
6. In the IP field, enter the private IP address of the machine where Kiwi Syslog Server is installed.
7. In the Port field, type 514.
8. In the Communication method field, select the Via CLEAR Directory Broker option.
9. In the Data format field, select the CEF option.
10. Click on the Save button to add the integration.
Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.

Note: To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: Kiwi Syslog Server is receiving alerts from Portnox Cloud.