TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: Syslogs
ENVIRONMENT: Windows Event Logs, firewall syslog, or HTTP Event Collector (HEC) syslog
SUMMARY: Enabling and initial setup of the Huntress Managed SIEM tool as an admin in the Huntress portal.
Configure Log Sources (Windows Event Logs)
Configure Log Sources (Syslog (Local))
Huntress Managed SIEM relies on Huntress Rio. Any newly installed agent may not show up in SIEM until Huntress Rio installs, which can take up to 24 hours. Additionally if you have excluded Process Insights from any machine those machines will not be suitable for Huntress Managed SIEM syslog collection.
Start the Trial
1. Once the trial option has been set up for you, you can enable the trial via the Active Trials (Trial Manager) in the Huntress portal.
Select SIEM and choose "Start Trial"
2. Once enabled, you will receive a "Trial Starts for SIEM" message.
3. Navigate to the Huntress Managed SIEM Dashboard on the left hand panel under "SIEM" to refresh the page
4. Within 2-3 minutes, the "Configure" option for SIEM should appear. Choose the "Configure" option to set up the log collection. Usually much faster.
Configure Log Sources (Windows Event Logs)
You can control this with granularity by doing the following:
From the "Source Management" tab under SIEM
1. Click "Add Source"
1. Choose "Windows Event Logs"
2. If you wish to disable this for ALL organizations, simply turn Windows Event Logging Collection off (the left hand side towards the bottom of the page).
a. If you wish to exclude ANY organizations, use the "Add Override" option to exclude organizations using the "DISABLED" option. While not required, it may be beneficial to add in any overrides first before enabling the log collection feature.
b. Optionally, you can set an organization to "ENABLED" using the same "Add Override" button to ensure log collection is enabled for that organization.
3. Additional organizations will be added automatically if they were not set to Disabled. Windows Event Logs will begin collection within a few hours. If logs have not started collecting after 24 hours, please reach out to Huntress support.
Configure Log Sources (Syslog (Local))
In this section we will configure a Huntress Agent to listen for syslog messages (a logging standard not associated with Microsoft or Windows). Once this is enabled, you can point your firewall syslog output to that agent and the agent will collect and send those messages to Huntress Managed SIEM.
From the "Source Management" tab under SIEM
1. Click "Add Source"
2. Choose "Syslog (Local)"
2. In the top right, choose "Add Syslog Agent"
3. Select an organization and a host and hit "Save" once selected
4. The selected organization and hostname will appear under "Enabled Syslog Agents" with a few minutes.
Generally, only one endpoint needs to be added per organization. As syslog information is for collecting Firewall data, adding additional endpoints would result in an excess of data log collection.
For suggested configurations for various firewall vendors, please refer to our Device Configuration Guides.