Contents
Configuring receipt of CommuniGate Pro events
You can configure the receipt of CommuniGate Pro 6.1 events in KUMA. Integration is only possible when sending events via syslog using the TCP protocol. The resources described in this article are available for KUMA 3.0 and newer versions. Processing of SIP module events is supported (such events contain the "SIPDATA" character sequence).
Configuring event receiving consists of the following steps:
- Configuring CommuniGate Pro to send events
- Configuring the KUMA collector for receiving CommuniGate Pro events
- Verifying receipt of CommuniGate Pro events in the KUMA collector
You can verify that the CommuniGate Pro event source server is correctly configured in the Searching for related events section of the KUMA Console.
The CommuniGate Pro system generates an audit event as several separate records that look like this:
<event code> timestamp ID direction: information from base event 1
<event code> timestamp ID direction: information from base event 2
<event code> timestamp ID direction: base information n
A set of KUMA resources is used to process CommuniGate Pro events; this set of resources must be applied when creating a collector:
- Normalizer
- Aggregation rule
- Filters for destinations
The collector aggregates multi-line base events based on event ID, normalizes them, and sends the aggregated event to the storage and the correlator.
The aggregated event has the following form:
Service information from the aggregation rule: ID: information from base event 1, information from base event 2, information from base event n
After aggregation, the received event is sent to the same collector where the aggregated event is normalized.
Processing algorithm for CommuniGate Pro events
The following algorithm was implemented to process CommuniGate Pro events:
- Initial normalization
At this stage, the initial normalization of base events is performed. The first character in the base event is a numeral. The events are brought to a format suitable for subsequent aggregation: the first character is extracted from the event and put into the DeviceCustomString1 field, the identifier is put into the ExternalID field, and the host name is put into the DeviceHostName field. Basic normalization is performed in the main normalizer.
- Checking for aggregation
The event is examined to see if it is aggregated or not. As a result, non-aggregated events (the first character is a numeral) have an aggregation rule applied, and then aggregated events are sent for re-normalization. Aggregation is performed using the "[OOTB] CommuniGate Pro. Aggregation rule".
- Applying the aggregation rule
At this stage, the aggregation rule is applied to the events, the base events are collated and take the following form:
Service information from the aggregation rule: ID: information from base event 1, information from base event 2, information from base event n
After aggregation, the collated event is sent back to the same collector to subject the aggregated event to normalization.
To close the event processing loop, you must specify the same collector as the destination. In the diagram, the destination is named "Loop" to draw attention to the event processing loop. You can give an arbitrary name to your destination.
- Normalization of the aggregated event
Normalization of the aggregated event that begins with a "{" character is performed in the following extra normalizers: Aggregated events, Aggregated events - kv part.
- Sending to storage and the correlator
Aggregated and normalized events are sent to storage and the correlator.
The following figure shows the flow chart of CommuniGate Pro event processing.
Configuring CommuniGate Pro to send events
By default, CommuniGate Pro audit events are sent to .log files in the /var/CommuniGate/SystemLogs/ directory.
To send events to KUMA, you need to install the KUMA agent on the CommuniGate Pro server and configure it to read .log in the /var/CommuniGate/SystemLogs/ directory and send them to the KUMA collector over TCP.
To create an agent that will read and send events to KUMA:
- In the KUMA Console, go to Resources and services → Agents and click Add.
- This opens the Create agent window; in that window, on the Basic settings tab, in the Name field, specify the agent name.
- On the Config #1 tab, fill in the following fields:
- In the Connector group of settings on the Basic settings tab, set the following values for the connector:
- In the Name field, enter a name, for example, "CommuniGate file".
- In the Type drop-down list, select file.
- In the File path field, enter the following value:
/var/CommuniGate/SystemLogs/.*.log
- In the Destinations group of settings on the Basic settings tab, set the following values for the destination:
- In the Name field, enter a name, for example, "CommuniGate TCP collector".
- In the Type drop-down list, select tcp.
- In the URL field, enter the FQDN or IP address and port of the KUMA collector.
- In the Connector group of settings on the Basic settings tab, set the following values for the connector:
- Click the Create button.
- When the agent service is created in KUMA, install the agent on the network infrastructure devices from which you want to send data to the collector.
Configuring a KUMA collector for receiving and processing CommuniGate Pro events
To configure a KUMA collector for receiving CommuniGate Pro events:
- Import the [OOTB] CommuniGate Pro package from the KUMA repository. The package is available for KUMA 3.0 and newer versions.
- Create a new collector, and in the Collector Installation Wizard, configure the following:
- At the Transport step, in the Type field, select the tcp type, and in the URL field, specify the FQDN or IP address and port of the collector.
- At the Event parsing step, click Add event parsing, and in the displayed Basic event parsing window, in the Normalizer drop-down list, select the [OOTB] CommuniGate Pro normalizer.
- At the Event aggregation step, click Add aggregation rule, and in the displayed Event aggregation window, in the Aggregation rule drop-down list, select [OOTB] CommuniGate Pro. Aggregation rule.
- At the Routing step, click Add and in the displayed Create destination window, create three destination points one by one—the same collector with the name "Loop", a storage, and a correlator.
- Create a destination named "Loop" with the following parameters:
- On the Basic settings tab, in the Type drop-down list, select the tcp transport type; in the URL field, specify the FQDN or IP address and port of the collector that you specified before at step 2.1 of these instructions.
- On the Advanced settings tab, in the Filter drop-down list, select the [OOTB] CommuniGate Pro. Filter for event aggregation filter.
This configuration is necessary to send the aggregated event to the same collector for subsequent normalization.
- Create a correlator destination:
- On the Basic settings tab, in the Type drop-down list, select correlator and fill in the URL field.
- On the Advanced settings tab, in the Filter drop-down list, select the [OOTB] CommuniGate Pro. Aggregated events to storage and correlator filter.
- Create a storage destination:
- On the Basic settings tab, in the Type drop-down list, select storage and fill in the URL field.
- On the Advanced settings tab, in the Filter drop-down list, select the [OOTB] CommuniGate Pro. Aggregated events to storage and correlator filter.
This configuration is necessary to send the aggregated normalized event to storage and the correlator.
- Create a destination named "Loop" with the following parameters:
- Click the Create button.
The collector service is created with the settings specified in the KUMA Console. The command for installing the service on the server is displayed.
- Copy the collector installation command and run it on the relevant server.
The collector is configured to receive and process CommuniGate Pro events.
Page top