RSA Event Source Configuration Guide
Imperva SecureSphere
Last Modified: Friday, October 16, 2015
Event Source (Device) Product Information
Vendor Imperva
Event Source (Device) SecureSphere
Additional Downloads imperva.txt
Supported Versions Versions 6, 7, 8, 8.5, 9, 9.5, 10
RSA Product Information
Supported Version RSA enVision 4.1
Event Source (Device) Type impervawaf, 132
Collection Method Syslog
Event Source (Device) Class.Subclass Security.Application Firewall
Content 2.0 Table Application Firewall
This document contains the following information for the Imperva SecureSphere event source:
l Configuration Instructions
l Release Notes 20151016-110607
l Release Notes 20150729-142232
Imperva SecureSphere Configuration Instructions
These instructions describe how to configure Imperva SecureSphere to communicate with the RSA
enVision appliance.
To configure Imperva SecureSphere:
1. Connect to the SecureSphere web interface.
2. Select the Policies > Action Sets tab.
3. To set up Alerts monitoring, follow these steps:
a. Select Create New .
Note: In version 10.0, select Create New .
b. In the Name field, type Security Platform Alerts.
c. From the Apply to event type drop-down list, select Any Event Type.
d. Click Create.
e. Select the action set, Security Platform Alerts.
f. Move the Server System Log > Log to System Log (syslog) action from Available
Action Interfaces to Selected Actions by clicking the green arrow next to the action.
g. Expand Selected Actions, and complete the fields as follows.
Copyright © 2015 EMC Corporation. All Rights Reserved.
RSA Event Source
Field Action
Name Type: Security Platform Alerts.
Syslog Enter the IP address of your enVision appliance.
Host
Syslog Type: Info.
Host
Level
Message Copy and paste text from the impervawaf.txt file. Use the line below Security
Alerts. This file is available on SCOL as an Additional Download.
Facility Type: Syslog.
h. Select Run on Every Event.
i. Click Save.
4. To set up Events, follow these steps:
a. Select Create New .
Note: In version 10.0, select Create New
b. In the Name field, type: Security Platform Events.
c. From the Apply to event type drop-down list, select System Events.
d. Click Create.
e. Select the action set, Security Platform Events.
f. Move the Server System Log > Log to System Log (syslog) action from Available Action
Interfaces to Selected Actions by clicking the green arrow next to the action.
g. Expand Selected Actions, and complete the fields as follows.
Field Value
Name Type: Security Platform Events.
Syslog Enter the IP address of your enVision appliance.
Host
Syslog Type: Info.
Host
Level
Message Copy and paste text from the imperva.txt file. Use the line below Security
Events.This file is available on SCOL as an Additional Download.
Facility Type: Syslog.
h. Select Run on Event Event.
i. Click Save.
5. To set up Database Activity Monitoring, follow these steps:
2 Imperva SecureSphere
RSA Event Source
a. Select Create New .
Note: In version 10.0, select Create New
b. In the Name field, type: Security Database Activity Monitoring
c. From the Apply to event type drop-down list, select Audit.
d. Click Create.
e. Select the action set, Security Database Activity Monitoring.
f. Move the Gateway Syslog > Log audit events to System Log (Gateway syslog) action
from the Available Action Interfaces to the Selected Actions by clicking the green arrow
next to the action.
g. Expand Gateway Syslog > Log audit events to System Log (Gateway syslog), and
complete the fields as follows.
Field Value
Name Type: Security Database Activity Monitoring
Primary Enter the IP address of your enVision appliance.
Host
Primary Type: 514
Port
Syslog Host Type: Info
Level
Message Copy and paste text from the imperva.txt file. Use the line below Security
Database Activity Monitoring. This file is available on SCOL as an
Additional Download.
Facility Type: Syslog
h. Click Save.
6. Click the Policies > Audit tab.
7. Select the External Logger tab for a particular policy that you want to apply the new action set.
8. Select the name of your newly created action set, Security Database Activity Monitoring, and
click Save.
Imperva SecureSphere Release Notes (20151016-110607)
New and Updated Event Messages in Imperva SecureSphere
For complete details on new and updated messages, see the Event Source Update Help.
Imperva SecureSphere Release Notes (20150729-142232)
Imperva SecureSphere 3
RSA Event Source
New and Updated Event Messages in Imperva SecureSphere
For complete details on new and updated messages, see the Event Source Update Help.
4 Imperva SecureSphere