Flowmon - advanced integration

Below are the existing integration options:

1. Collection, long-term storage and visibility into Flowmon logs in Logmanager - Default integration where logs from Flowmon are being sent to Logmanager. This type of integration allows thorough processing and detailed visualization of Flowmon data in the perspective of other network and security solutions of the organization. It is easy to setup according to the instructions in the Logmanager documentation and thanks to the built-in classification, no configuration changes are required on Logmanager side.
2. Enrichment of Flowmon logs processed on the Logmanager side with additional metadata - The built-in alerts in Logmanager includes a sample called “Flowmon_log_enhancement”. After activation it adds a new field in logs received from Flowmon, with URL link pointing to the detail of the event in the Flowmon GUI. By clicking the newly created link in the Logmanager interface the user is redirected to the Flowmon console.
3. Adding a user identity from Microsoft AD to the Flowmon environment - Flowmon can receive data through its own syslog collector to enrich data it collects. More precisely - who was using given IP address, at the time of the event according to MS AD. Logmanager obtains this information as part of the standard collection of AD logs by Logmanager Beats agent. LM processes these logs and based on a simple logic, allows them to be passed in a structured format to Flowmon, where they are being used to enrich data.

   

Here integration is very easy, follow the online documentation to achieve basic integration - Flowmon. The whole procedure consists of only six easy steps.

Procedure for enriching Flowmon ADS logs in Logmanager with URL links of individual events:

1. Create a new alert from the template - in the menu Logs / Alerts, in the list of alerts click on the right icon - Create new from template.
2. Select one named “Flowmon_log_enhancement” from the Model Examples list and click the Apply button.
3. In the newly added blockly logic, edit the field indicated by the arrow in the figure below. In this field, type the domain name or IP address of your Flowmon system instead of “flowmon.local.domain”.

   

4. Edit the name and description and the alert as needed, fill in the email address, enable the alert and click on the “Create” button in the last step. This way you have an alert that does not warn, but adds a URL to each Flowmon ADS log. Within one minute you should find a new msg.event_url field in new incoming Flowmon logs.
5. Checking the result. Open the appropriate Flowmon event in the built-in Flowmon Dashboard, find the msg.event_url field and test whether it redirects you correctly to the given Flowmon event, as shown in the figure below.

   

The basic logic of this integration: Logmanager can forward events associated with a successful user login to the Flowmon system. In the Flowmon system, it is then possible to connect, for example, data flows with the identity of a specific user. To successfully link the user’s identity with the data flow, it is necessary to set up logging of events related to identity verification (e.g. via GPO) on domain servers, forward these events from Logmanager to Flowmon. Flowmon must process the user identity information received from Logmanager with a parser, which we have also prepared for you and you will find it in the manual below.

1. GPO configuration: The first is to create a group policy named e.g. LM - Logon Audit and connect it to the container of domain controllers and ideally also to the container of domain member servers.

   Edit the newly created group policy and in path Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Security Options Audit: Force audit policy subcategory settings to override audit policy category settings, check the option Define this policy settings, the option Enabled and confirm with OK.

   Next, in path Computer Configuration / Policies / Windows Settings / Security Settings / Advanced Audit Policy Configuration / Audit Policies / Account Logon change the policy Audit Kerberos Authentication Service, check the option Configure the following audit events, the option Success and confirm with OK. Finally, in path Computer Configuration / Policies / Windows Settings / Security Settings / Advanced Audit Policy Configuration / Audit Policies / Logon/Logoff change the policy Audit Logon, check the option Configure the following audit events, the option Success and confirm with OK.

   

2. Logmanager configuration: First you need to define a new destination for sending selected logs to the Flowmon syslog collector. In the Logmanager menu Logs / Syslog output, it is necessary to add a new redirection. Fill in the form with the IP address and port (the default port for syslog is 514), where Flowmon listens, in the Syslog output message format version field, set the value to 3 and check the Enabled option. Save the configuration with the Save button. Below you can find a screenshot of the newly created record.

   

3. Next, you need to create an alert according to the example below, which will forward the selected audit events to Flowmon. In the menu Logs / Alerts add a new alert. In the form for a new notification it is necessary to fill in the name or description, in the destination field fill in the e-mail address and check the Enabled option. In the Blocks field, create an alert as shown below. In the “send to remote syslog” block, select the redirection created in the previous step. Finally, save the configuration with the Save button.

   

   For easier use in Logmanager we have prepared an easy to use pattern. Just download/copy the code and paste it into the XML tab when creating a new alert.

   flowmon-integration_alert.xml

   Don’t forget to change the “add tag” and the correct “remote syslog”. When copying alerts within XML, these attributes are not copied.

4. Flowmon configuration: In Flowmon Configuration centre / System a new Syslog server must be added on the System Settings tab. The Enable external syslog protocols option must be selected and the New Syslog Client button must be used to set the information from which events will come. In this case, there will be the IP address of the Logmanager system, port 514 (this is the same port that is set in the forwarding configuration in Logmanager) and the TCP protocol. Next, you need to turn on the Enable parsing of user identity information option and create new parsing rules using the New rule button to retrieve information from events 4624 and 4768. The new rule for events 4624 and 4768, enter a suitable name in the Name field (for example, LM-Beats) and enter the following rule in the Log message rule field: @ESTRING::"for_flowmon":@@ESTRING::"@@IPvANY:ASSIGNED_IP:@@ESTRING::,@@ESTRING:USERNAME:"@

   Finally, you need to press the Save button to save the configuration.

   

5. Functionality verification: The correct integration of user identity processing can be verified, for example, in the Monitoring Centre. In the menu, select Analysis, and at the bottom of the Advanced Analysis page, select User Identity in the Base Statistics on the parameter. Then click the Process button. If everything is correct, the statistics of data flows according to the identity of the users will be displayed as in the screenshot below.