Each data source type has a specific plug-in that filters and parses the events from the data source, and converts them to a standard Guardium format. The first time that you add a connector of a specific data source type, you need to upload its plug-in. On the Plugins_management.md page, refer to the "Downloads" column for the list of plug-ins available for Guardium Insights. Click the "GI" hyperlink for the plug-in you wish to download.
The universal connector configuration has a few parts, all described in this task:
- Configuring the connection between Guardium Insights and the data source
- Downloading the certificate (when using Filebeat input type)
-
Click Connections in the Settings menu.
-
Click Add connection. The Connect to new data source page opens, with a card for each available data source type.
-
Select the data source type. This opens a panel that aids you in initiating the connection.
a Select data source environment: Select the environment that hosts your data source.
b. Select connection method: Select Universal Connector.
c. The remainder of the panel provides Additional information about the connection type that you are creating.
d. After reading the Additional information, click Configure.
-
Enter the details for this connection.
a. In the Name and description page, enter this information:
i. Name: A unique name for the connection. This name distinguishes this connection from all other Guardium Insights connections.
ii. Description: Enter a description for the connection.
b. Click Next.
c. In the Build pipeline page, use the Choose input plug-in menu to select your input plug-in. Then select a filter plug-in by using the Choose a filter plug-in menu.
d. Click Next.
e. Follow the instructions according to the input plug-in type you selected in step c.
-
In the Additional info page, enter a Data source tag: This tag uniquely identifies the incoming Filebeat stream. This tag will be added later to the Filebeat configuration so that Filebeat will tag every event with this tag. For example, specify
any-mongodbin this field. -
Click Configure.
-
In the Configuration notes page, click Download certificate to download the universal connector certificate authority to your local system. Copy the certificate to the data source (it will be added to the Filebeat configuration later). All data sources of any one specific type use the same certificate.
-
Click Done.
-
To configure the data source to communicate with Guardium Insights, follow the instructions in the last section on this page: Configuring Filebeat to forward audit logs to Guardium. Copy the hostname in the Configuration Notes to configure the host in the filebeat.yml file on your data source.
- On the Additional info page, specify the details of the connection you want to create:
-
AWS Role ARN (optional) - this is used to generate temporary credentials, typically for cross-account access. See the AssumeRole API documentation for more information.
-
AWS access key ID and AWS secret access key - your AWS user account access key and the secret access key (for more information, click here). These parameters are mandatory if you are using the CloudWatch or SQS input plug-ins in Guardium Insights. Note that unlike other Guardium deployments, in Guardium Insights configuring only role_arn without access_key_id and secret_access_key is not a valid option.
-
AWS account region - for example, "us-east-1".
-
Event filter (optional) - specify the filters to apply when fetching resources. For example, for filtering an S3 event based on a bucket name: '{$ .eventSource = "s3.amazonaws.com" && $ .requestParameters.bucketName = "
give bucket name"}'. -
Account id (Mandatory) - your AWS account ID (For more information, click here).
-
Cloudwatch Log Group name - specify the log group that is created for your data instance.
For example, "/aws/rds/instance/any_instance/any_log_group".
NOTE: Due to the possibility of Cloudwatch reporting events multiple times for plug-ins configured for Guardium Insights, it is recommended to use SQS instead.
Add a connection using the steps in the Filebeat input plug-in configuration section.
Refer to the Configuration notes page for the data source tag and host to be used in these steps.
-
Open the Filebeat configuration. (filebeat.yml), usually located in
/etc/filebeat/filebeat.yml. -
Locate the
tagssection and enter the Data source tag. For example,tags: ["any-mongodb"]. -
Locate
output.logstashsection and add an entry for Guardium Insights: -
# The Logstash hosts hosts: ["<hostname-URL>:443"]NOTE: In Guardium Insights, whenever using plug-ins that are based on Filebeat as a data shipper, the configured port should be 443. Guardium Insights will map this to an internal port
-
Configure TLS - UC to the data source:
- Download the SSL certificate (
UC certificate authority) from Guardium Insights and upload it to the data source server. - Copy the location of the downloaded certificate and enter it as the certificate authority.
# List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["/etc/pki/ca-trust/GuardiumInsightsCA.pem"]Summary:
tags: ["any-mongodb"] output.logstash: # The Logstash hosts hosts: ["<hostname-URL>:443"] # List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["<path-to-UC-CA>/GuardiumInsightsCA.pem"] - Download the SSL certificate (
-
Restart Filebeat to apply these changes
Linux: Run the command:
sudo service filebeat restart -
Windows: Restart in the
Serviceswindow