Integrating with On-Premise or Cloud-based SIEM

An Application Programming Interface (API) integrates with the 802 Secure cloud environment to provide programatic access to collected data. Event data can be retrieved and forwarded to additional logging platforms and SIEMs to provide further integration with an existing operations and monitoring environment.

API keys allow programmatic access to the 802 Secure Console API from applications. This access is a limited subset of features from the primary console. They include:

• Creation and retrieval of Events/Alerts
• Retrieval of Clients or AccessPoints identified within a date range
• Retrieval of AccessPoint details via BSSID or unique identifier
• Retrieval of Client details via MAC Address or unique identifier
• AirShield Sensor status

Managing API Keys

API Keys are managed on the Customer API Key page accessible from the top right dropdown:

When created, two types of keys are provided - a string-based authentication key and an ECDSA signature key. ECDSA signing keys are only required for write events such as Event creation and can be ignored if not necessary.

The ECDSA keys are locally generated and can be downloaded from the creation/edit page during your currently logged in session only. After logging out the signing key cannot be retrieved and must be re-generated. ECDSA verification keys can be replaced with your own verify keys if desired.

Events2Logger - Retrieve and Forwarding Utility

The events2logger binary provides an on-premise or cloud-based connector between observed Events/Alerts and your logging platform.

The following methods are supported:

• Syslog (TCP, UDP, TCP+TLS) in raw, Common Event Format or JSON structure
• Splunk
• Graylog
• Slack channels

Additional methods can supported as requested.

Downloads

The current release with SHA-256 hash for validation is available for these operating systems:

Configuring events2logger

A sample configuration file can be downloaded here. Modify the file with your API key and targets. 

Running events2logger

To run events2logger first create a valid events2logger.yml configuration file and then run the application events2logger run in a Linux/OSX terminal or Windows Console. Include -v to provide verbose local output of message delivery.

./events2logger run
INFO[0000] Setting JSON format for output
INFO[0000] Configuring Graylog hook
DEBU[0000] All configurations locked and loaded
INFO[0000] Starting 802 Secure events2log v1.0.0-beta . . .
ERRO[0000] EOF
INFO[0000] Requesting events from 802 Secure Console . . .  StartDate=2017-03-08 05:48:29.669193464 +0000 UTC
INFO[0001] 1 events received and forwarded to logger
INFO[0001] Sleeping 30 seconds . . .

In certain situations the events2logger.state file may become stale and not retrieve results. While the tool attempts to recognize this condition it may not in all situations. Should this occur you should stop the process, delete the state file and restart the process.

An invalid API Key will generate the following output:

INFO[0000] Setting JSON format for output
INFO[0000] Configuring Graylog hook
DEBU[0000] All configurations locked and loaded
INFO[0000] Starting 802 Secure events2log v1.0.0-beta . . .
ERRO[0000] EOF
INFO[0000] Requesting events from 802 Secure Console . . .  StartDate=2017-03-08 05:38:31.470093692 +0000 UTC
INFO[0000] API Token expired, refreshing . . .
INFO[0000] Refresh token expired, logging in . . .
INFO[0001] API Token expired, refreshing . . .
INFO[0001] Refresh token expired, logging in . . .
INFO[0001] API Token expired, refreshing . . .
INFO[0001] Refresh token expired, logging in . . .
INFO[0001] 0 events received and forwarded to logger
INFO[0001] Sleeping 30 seconds . . .