Pushing Incapsula SIEM Logs Directly to an Amazon S3 Bucket

Security information and event management (SIEM) logs provide a centralized environment for network administrators to access and analyze security information and alerts from a variety of sources. Many organizations build a multilayered security solution on a multivendor tech stack, and then it becomes the security team’s challenge to cut through the clutter and achieve visibility.

This article looks at how to configure Amazon Simple Storage Service (Amazon S3) to receive Incapsula SIEM logs.

Overview

Incapsula allows you to push your account’s SIEM logs directly to a designated bucket in Amazon S3. Pushing your Incapsula SIEM logs to cloud storage lets you examine your log data in new ways. For example, your Incapsula SIEM logs can be combined with SIEM logs from other platforms to give you a single source of security issues across your entire tech stack.

We’ll demonstrate how to configure Incapsula to push SIEM logs to an Amazon S3 bucket by following these five major steps:

• Step 1 – Create an Amazon S3 bucket for your Incapsula SIEM logs
• Step 2 – Create access keys for your AWS account
• Step 3 – Copy a test file to your Amazon S3 bucket
• Step 4 – Check your Amazon S3 bucket for the copied test file
• Step 5 – Configure Incapsula to push SIEM logs to Amazon S3

Step 1 – Create an Amazon S3 Bucket for Your Incapsula SIEM Logs

As a first step, let’s create a new Amazon S3 bucket to hold our Incapsula SIEM log files.

1. Use your web browser to sign in to your AWS account and go to the AWS Management Console.
2. Select All services > Storage > S3.
   
3. Click Create bucket to start the Create bucket wizard.
   
4. In the Name and region step, enter a unique Bucket name, and select the Region where you want to store your bucket. Note: You cannot use the bucket name shown in the following illustration, incapsula-siem-logs, because it has already been used. Your bucket name must be globally unique. A best practice for avoiding bucket naming issues is to use a DNS-compliant name, such as incapsula-siem-logs.company_name.com.
   
5. Click Next to go to the Set properties step.
   
6. Recommended: Enable logging by clicking the Disabled link and specifying a target bucket and prefix for your logs. You can choose to store your log files in the same bucket as your SIEM logs or in a separate bucket. The optional target prefix you specify can help you identify access requests to your SIEM log bucket. Access log information can be useful in security and access audits. Click Learn more for additional information.

7. Click Next to go to the Set permissions step, and then expand the Manage users section.
   
8. Under Objects and Object permissions, make sure Read and Write permissions are enabled for the account Owner, and then click Next to go to the Review step.
   
   
9. Check your configuration settings. If you need to make changes, click the corresponding Edit When you are satisfied with your settings, click Create bucket.

You’ve now created a bucket with the configuration you need for holding your Incapsula SIEM log files.

Step 2 – Create Access Keys for Your AWS Account

Although as the account owner you can freely copy files to and from your new S3 bucket, enabling Incapsula to programmatically write to your Amazon S3 SIEM bucket requires that you use access keys for your AWS account. You can use one of the following two options to obtain access keys:

• Use the IAM access keys of your AWS account – You can get these access keys by signing in to your AWS account and selecting IAM.
• Create an access key based on the IAM account – You can create an access key separate from the ones already associated with your account.

Use the following steps to create an access key for your AWS root account:

Use your AWS account email address and password to sign in to the AWS Management Console.

Note: If you previously signed in to the console with IAM user credentials, your browser might open your IAM user sign-in page. You can’t use the IAM user sign-in page to sign in with your AWS account credentials. Instead, choose Sign-in using root account credentials to go to the AWS account sign-in page.

1. In the top left Services -> IAM (or right -> My Security Credentials)
   
2. Choose Continue to Security Credentials.
   
3. Choose Account User name.
   
4. Select the Security credentials tab.
   
5. Scroll down and either use an existing access key or Create access key

6. Choose your desired action.

To create an access key:

Choose Create access key. Then save the access key ID and secret access key to a file on your computer. After you close the dialog box, you can’t retrieve this secret access key again.

7. Make sure and copy Access key ID and Secret access key or Download .csv file

You’ve now created an access key to use.

Step 3 – (Optional) Copy a Test File to Your Amazon S3 Bucket

At this point, it’s a good idea to make sure everything is working. You can do this by using the AWS command-line tools to copy a file from your computer to your S3 bucket. Following these steps also confirms that your AWS access key ID and secret access key are working.

1. Install the AWS Command Line Interface. For step-by-step instructions and links to AWS CLI for Linux, Microsoft Windows and iOS, go to http://docs.aws.amazon.com/cli/latest/userguide/installing.html.
2. From a command prompt, run aws configure.

Fill in the requested information as the AWS CLI prompts you for the following:

• AWS Access Key ID – The access key ID that you generated. The access key ID is listed on the Your Security Credentials
• AWS Secret Access Key – The secret key that you downloaded or copied and pasted for safekeeping. If you did not save your secret key, you cannot retrieve it from AWS – you must generate a new one.
• Default region name – The region whose name you specified for your S3 bucket. This parameter must be specified using the region code with no spaces, such as us-west-1. For a current list of S3 region codes, go to http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region.
• Default output format – Specify json, text, or table. For the purposes of pushing files from Incapsula, this setting does not matter.

You only need to specify these configuration parameters once per CLI installation. They remain in effect until you change them.

3. Execute a directory listing of your bucket with the following command:
   aws s3 ls s3://bucket_name
   If successful, this command returns a list of zero or more files, depending on various settings, such as whether you have enabled access logs and whether any access has occurred that would result in log files.
4. Copy a file to your bucket with the following command:
   aws s3 cp path_name/file_name s3://bucket_name
   If successful, this command returns the message:
   upload: path_name/file_name to s3://bucket_name/file_name

You’ve now installed and configured the AWS CLI, confirmed your AWS key ID and secret key, and copied a file from your local computer to your S3 bucket.

Step 4 – (Optional) Check Your Amazon S3 Bucket for the Copied Test File

To confirm that your file is in your S3 bucket, you can perform the following steps:

1. Execute a directory listing of your bucket with the following command:
   aws s3 ls s3://bucket_name
   Among the list of files in your bucket, make sure that the list contains the file you copied in the previous step.
2. Sign in to your AWS account and go to the AWS Management Console.
3. Select All services > Storage > S3.
   
4. On the Amazon S3 page, under Bucket name, click the name of the bucket you created for your Incapsula SIEM logs.
   
5. Verify that the file you copied is listed.
   

Step 5 – Configure Incapsula to Push SIEM Logs to Amazon S3

Now that Amazon S3 is properly configured and you have your AWS access key, you’re ready to set up Incapsula to start pushing your SIEM log files to your S3 bucket.

1. Use your web browser to go to https://my.incapsula.com/login, and then enter your Incapsula log in credentials and click Sign in.
   
2. Click Logs in the navigation panel.
   
3. In the Logs Setup page, select Amazon S3.
   
4. Enter the following:

• AWS Access Key ID in the Access key field.
• AWS Secret Access Key in the Secret key field.
• Path name for your S3 bucket location in the Path field.
  

5. Click Test connection to verify that all your entries are correct.

That’s all there is to configuring Incapsula to push your SIEM logs to an Amazon S3 bucket.

Would you like to write for our blog? We welcome stories from our readers, customers and partners. Please send us your ideas: blog@incapsula.com