The uba.varonis.audit tag identifies alert messages generated by Varonis DatAlert security analytics.
You need to configure the Varonis DatAlert rules to generate syslog messages-type alert method, create an alert template for sending to Devo, and set up syslog message forwarding to the Devo Relay. The DatAlert messages should be sent to a dedicated port (of your choice) on the relay to be tagged and forwarded securely to the Devo Cloud.
The full tag is fixed with only three levels: uba.varonis.audit
Varonis DatAlert configuration
To set up message forwarding, you will need to take the following steps in the DatAlert area of the DatAdvantage management tool:
- Set up Syslog Message Forwarding to your Devo Relay in the DatAlert Configuration settings. You'll need to specify the relay's IP address and the relay port to which you want to send DatAlert messages.
- Create a new alert template to apply to syslog message-type alert methods.
- Edit the DatAlert rules to generate syslog messages. This means that the messages will get forwarded to the Devo Relay.
There are a couple of articles in the Varonis KnowledgeBase that can guide you in completing these steps:
Configure Syslog message forwarding
- In DatAdvantage, select Tools → DatAlert. DatAlert is displayed.
- Select Configuration in the left menu.
- In Syslog Message Forwarding, enter the following information:
- Syslog server IP address - The IP address of the Devo relay.
- Port - The port on which the Devo relay will be listening according to the rule defined in the previous step.
Define a new template
Templates define the format of the alert messages sent from DatAlert, using Syslog, to Devo.
- In DatAlert, click Alert Templates in the left menu.
- Click the green plus sign to add a new alert template:
- Enter a template name.
- Open the Apply to alert methods dropdown list and select Syslog message.
- Select the parameters that you want to monitor.
Configure the rules to send the alerts to Devo
To send the events triggered by the rules to Devo, the alert must be transferred by creating a Syslog message. Go to the DatAlert rules table and:
- Select the rule or rules and then click Edit Rule.
- Click Alert Method.
- Check the option Syslog message.
Devo Relay rule
The rule should simply apply the uba.varonis.audit tag to all events received on the selected port. And syslog tags contained in the messages received should also be ignored.
- Source Port → 13004
- Target Tag → uba.varonis.audit
- Select the Send without tag checkbox