An event destination is where Change Guardian sends incoming events for a particular policy. You can view information about access and changes to critical files, systems, and applications. It is also where you deploy alert rules to notify you of those changes. For more information about alerts, see Section 6.0, Understanding Alerts.
A policy must have at least one event destination. When you create a policy, it automatically uses the default event destination. When you install Change Guardian, the default event destination is the Change Guardian server. You can create and assign additional event destinations to meet your environment and regulatory needs. You can also change the default event destination setting.
If you set another event destination as the default, all new policies automatically use the new default location. Existing policies will continue to use their previously assigned event destinations. To change the event destinations for existing policies, see Assigning Event Destinations to Policies.
If your environment has multiple event destinations, and the default event destination is FIPS-enabled, some additional configuration steps are required. For more information, see Section 6.2.3, Ensuring Alternate Event Destinations Receive Alerts.
You can create event destinations using one of the following models:
REST Dispatcher. Sends events to Change Guardian server or NetIQ Sentinel.
Syslog Dispatcher. Sends events to third-party SIEM or syslog server.
To create an event destination:
Log in to the Policy Editor.
Select Settings > Event Destinations.
Click Add.
Specify a unique name for the event destination.
Specify one of the event destination models.
Provide system information for the server where you want to send events.
(Optional) If you want to send Change Guardian system events that only match specific criteria, select the checkbox above the filter drop-down list, and provide filter criteria.
Change Guardian uses the Lucene query language for filtering events. For more information, see Apache Lucene - Query Parser Syntax.
Click OK.
When you create a policy, it automatically uses the default event destination. If you want to send event data to another destination, add an event destination to the policy (or policy set). The new event destination can be either in addition to or instead of the default event destination. The updated event destination setting will take effect at the next heartbeat interval, when the asset computer reads the updated policy information.
To assign event destinations to a policy:
Log in to the Policy Editor.
Click Policy Assignment.
Select an asset group or computer, and click Assign Policies.
Select a policy set or policy and click Advanced.
Select one or more event destinations to assign to the specified policy or policy set.
Click OK.