I know we have done integrations with Splunk, Nagios, etc for event monitoring/alerting. I have a client who is asking about integration with their LogRhythm SIEM solution - anyone done this or have previous experience or indeed have a doc that can be shared - this would be much appreciated.
I apologize for not getting to this sooner. I am not aware of any official implementations with LogRhythm. It is only mentioned a couple of times in previous Support cases, but based on what I can tell, it is certainly possible and was implemented by one customer in one case. However, with that said, I do not have any documentation around the API Gateway integration with LogRhythm specifically, unfortunately. If the LogRhythm agent must be installed on the API Gateway, then we have a general statement around third-party software which I will paste below, but note the most important thing is that doing so will not void your Support contract in any way.
## STATEMENT ON THIRD PARTY APPS ##
When possible, we recommend that you utilize the API Gateway's built-in functionality before installing external applications. When the API Gateway's built-in functionality does not meet your requirements, we permit our customers to install additional applications without terminating or negatively impacting the support agreement between your organization and ours.
As with any change to the API Gateway, we strongly recommend that thorough testing in non-critical environments is carried out before escalating the deployment to more business-critical production systems. Please keep in mind that we may request that this software / application be removed from the system during subsequent support requests where we feel the third-party application may be interfering with the proper operation of the API Gateway.
Lastly, we do not include updates for external applications, tools, or their dependencies in API Gateway patches or platform updates. Upgrading an appliance may cause previously working configurations of your third-party tool to break, and such action would not be supported by CA Technologies. Since we do not provide updates for these external applications, we also do not test them. As such, external applications may create security vulnerabilities in our product that would not be present on a certified API Gateway appliance.
## END OF STATEMENT ON THIRD PARTY APPS ##
I hope the answer above provides you with enough information, but if there are any further specific questions, please do not hesitate to reply.
Support Engineer, CA Technologies
Phone: +1 800 225 5224
Outside of North America - http://www.ca.com/us/worldwide.aspx
Go to manage log/ audit sinks under Tasks menu in Policy manager. Create a new log sink. Create a name, write the desc, select syslog as log type (Logrhythm supported), select threshold to warning (iff required) and add filters for logs like audits, gateway, PC or any custom logs. Under syslog settings tab select the protocol (in my case tcp), add host name or ip add of Logrhythm, select facility (in my case 3 is good enough), select log hostname as well, select verbose format and UTF-8 as char set, and select existing gateway host timezone.
With this option now you will see logs on Logrhythm servers, but mind you you need to work with your SIEM team to create events for you.
I'd say look into splunk integration under custom assertion document from CA. Since it is easier to integrate and manageability is much easier.