For more information on how tags work, check the Introduction to tags article.
In-house Relay configuration
You can configure Varonis DatAlert to report the logs to Devo specifying an endpoint, destination port, and Syslog facility. It is necessary to send the logs to an In-house Relay that will tag them as uba.varonis.audit and forward them to Devo.
To create the rule, use the following fields:
- Source Port → 13004
- Target Tag → uba.varonis.audit
- Check the following box:
- Send without tag
The new rule looks as follows:
Varonis DatAlert configuration
Configure Syslog message forwarding
- In DatAdvantage, select Tools → DatAlert. DatAlert is displayed.
- Select Configuration in the left menu.
- In Syslog Message Forwarding, enter the following information:
- Syslog server IP address - The IP address of the Devo relay.
- Port - The port on which the Devo relay will be listening according to the rule defined in the previous step.
Define a new template
Templates define the format of the alert messages sent from DatAlert, using Syslog, to Devo.
- In DatAlert, click Alert Templates in the left menu.
- Click the green plus sign to add a new alert template:
- Enter a template name.
- Open the Apply to alert methods dropdown list and select Syslog message.
- Select the parameters that you want to monitor.
Configure the rules to send the alerts to Devo
To send the events triggered by the rules to Devo, the alert must be transferred by creating a Syslog message. To do this, in DatAlert, go to the rules table and:
- Select the rule or rules and then click Edit Rule.
- Click Alert Method.
- Check the option Syslog message.