An event destination is where Change Guardian sends incoming events for a particular policy. You can view information about access and changes to critical files, systems, and applications. It is also where you deploy alert rules to notify you of those changes.
A policy must have at least one event destination. When you create a policy, it automatically uses the default event destination which is the Change Guardian server. You can also assign the policy to the syslog server or a third party security information and event management (SIEM) tool.
You can create and assign additional event destinations to meet your environment and regulatory needs. You can also change the default event destination. If you set another event destination as the default, all new policies automatically use the new default location. Existing policies continue to use their previously assigned event destinations. To change the event destinations for existing policies, see Assigning Event Destinations.
If your environment has multiple event destinations, and the default event destination is FIPS-enabled, some additional configuration steps are required. For more information, see Configuring Event Destinations to Generate Alerts.
You can configure Change Guardian agents to send events to Sentinel, to leverage Sentinel capabilities. Starting with Sentinel 8.2, you can use the HTTP Server Connector and distribute Change Guardian assets across multiple Sentinel Collector Managers and multiple Event Source Servers to scale data collection. For information about the HTTP Server Connector, see the Connector documentation on the Sentinel Plug-ins Website. For information about Sentinel, see Sentinel Documentation.
Following sections provide information about creating event destinations.
Change Guardian evaluates the event routing rules on a first-match basis in top-down order and applies the first matched event routing rule to events that match the filter criteria. You can configure event routing rules to evaluate and filter all incoming events and deliver selected events to designated output actions. For example, each severity 5 event can be logged to a file.
You can create event destinations using one of the following models:
REST Dispatcher: Forwards Change Guardian events directly from a Change Guardian agent to the Change Guardian or Sentinel server.
NOTE:If you add an event destination, ensure that the user account associated with that destination has permissions to send events and attachments.
Syslog Dispatcher: Forwards Change Guardian events from Change Guardian agent to Change Guardian server, which in turn forwards events to third-party SIEM or syslog server.
NOTE:Change Guardian supports the Common Event Format (CEF) specification and could use Syslog Dispatcher to forward events. Related event attributes might contain additional backslash (\) characters to escape the following characters: \, =, and | and allow the event to conform to CEF. To remove them, parse the events with a CEF parser.
To create an event destination:
In Policy Editor, select Settings > Event Destinations
Click Add.
Specify a unique name for the event destination.
Specify one of the event destination models.
Provide system information of the server where you want to send events.
For Sentinel, if you have deployed remote Collector Managers to receive events from Change Guardian assets, specify the IP address of the Collector Manager and port number of the Event Source Server. Otherwise, specify the IP address and port number of the Sentinel server.
NOTE:While changing the event destination, ensure that the new destination server is running on FIPS mode, if the Change Guardian server runs on FIPS mode.
(Optional) If you want to send Change Guardian system events that only match specific criteria, select the check box above the filter drop-down list, and provide filter criteria.
NOTE:The filter is applied to all event destinations configured on the server.
Change Guardian uses the Lucene query language for filtering events. For more information, see Apache Lucene - Query Parser Syntax.
Click OK.
NOTE:If more than one event destinations are configured on a Change Guardian server, specifying one event destination while creating a policy ignores the specified destination and sends events to all the configured event destination.
For Sentinel, if you have deployed Collector Managers to receive events from Change Guardian assets, you must create an event destination for each Event Source Server.
When you create a policy, it automatically uses the default event destination. If you want to send event data to another destination, add an event destination to the policy (or policy set). The new event destination can be either in addition to or instead of the default event destination. The updated event destination setting takes effect at the next heartbeat interval, when the asset reads the updated policy information.
To assign event destinations to a policy:
Log in to Policy Editor.
Click Policy Assignment
Select an asset or asset group, and click Assign Policies
Select a policy set or policy and click Advanced.
Select one or more event destinations to assign to the specified policy or policy set.
Click OK.