Integration with SIEM

WOCU-Monitoring incorporates advanced capabilities for the adaptation, normalization, and export of security logs, facilitating their integration with SIEM (Security Information and Event Management) platforms. This functionality allows the events generated by the tool to be transformed into standardized formats, ensuring their correct interpretation and use by external cybersecurity systems.

Integration with SIEM strengthens compliance with corporate security policies, enabling event correlation, early threat detection, and centralized auditing within a unified ecosystem.

td-agent

This service takes a source (file, port, etc.), processes it, and sendsthe data to a destination (database, file, endpoint, etc.).

Several configuration files are used to define the workflow.

auditlogs2endpoint

../../_images/7_101_siem_netflow.png

This configuration file reads the following files and sends the data to an external endpoint (usually a SIEM):

  • wocu_aggregator_user_db_audit.log

  • wocu_import-tool_user_db_audit.log

  • wocu_user_audit.log

To use it, you need to configure the following variables in WOCU-Monitoring in the wocu-aggregator section (/etc/wocu/wocu.yml):

  • siem_sender_enabled

  • siem_http_method

  • siem_token

  • siem_url

Note

More information about variables in: settings conf.