Is it possible to forward IdentityNow Virtual Appliance and cloud audit and security logs to a Security Information and Event Management tool (SIEM)?
I searched through the documentation and past posts, and there does not appear to be any direct support.
I did come across this post, which references using the web service API to pull IdentityNow cloud audit events. Is this still the only solution offered?
Unfortunately, I could not identify any supported solution for forwarding the virtual appliance logs. I would assume its self-updating functionality will interfere with any attempts at having a consistent forwarding solution.
I believe it is possible to do this (the VA is just a linux box), but there may be some caveats on what is required to keep it working.
I am not sure your changes will persist beyond a VA Upgrade. It might be nice to have SP comment/advise here on what parts of the VA persist/do not persist between VA versions.
If the log forwarding changes do not persist, you would need to build a remote scripted installer for the log forwarder, and then run that every time the VA is upgraded.
Okay, I was thinking the same thing, makes sense if they applying an updated image from the container which overwrites your changes. So, I would need a way to automate the reconfiguration of the log forwarding…
Although, I would agree, it would be nice to see a reply from SP.
You could build an SSH process to connect to the VA and pull the logs. Once you have the logs, you can upload them to a SIEM. It is not recommended to put any scripts directly on the VA.
To help you get started, our CLI has a command for pulling and parsing logs from a VA.
For cloud audit and security logs, the end user only has access to the Search API, which you can use to search for the latest events every day and upload them to a SIEM.