Monitor Logged Events
Monitor Halo security events
Halo Logging and Alerting
Halo logging and alerting is a built-in service that captures event information generated by all of the Halo security modules, by Halo user actions, and by actions on Halo-protected servers. Halo stores these events centrally, and reports on them in a variety of forms, including summaries and details displayed in the Halo portal, email alerts sent to administrator inboxes, and event data exported to third-party analytical tools.
Logging and alerting is always "on" and available to all Halo users, but you decide what and how much you want logged and who needs to be notified. For example:
- Most of Halo's policy-based security modules allow you to separately turn logging or alerting on or off for each rule in a policy, to flag the more serious ones as Critical, and to generate email alerts for the most serious of them.
- You can implement a special events policy to control the logging and alerting of server-related events across your infrastructure.
- You can control which routine audit events (logins, policy assignments, password changes, and so on) should be logged or alerted on.
- You can create alert profiles, which control who should receive email alerts for various events
To review logged events, you can view alerts in your email inbox, you can view event summaries on the Halo portal dashboard page, you can view and search for events on several other portal pages.
Integrating Events with Analytical Tools. The Halo API includes the capability to export complete or filtered event information that you can then feed into a variety of third-party analytical tools. CloudPassage has used this capability to create an integration tool (Halo Event Connector) that you can use out-of-the-box for this purpose.
If you have specified that important configuration and file-integrity policy violations should be logged as events, any occurrences of those events are available for you to view and address on the Security Events History page of the Halo Portal. And you can capture additional security-related events if you also set up a special events policy. Take these steps:
- If you haven't done it yet, create and assign an alert profile as described in Set up Halo alerts. It specifies who should receive email alerts when an event occurs.
- Create and assign a special events policy:
- In the Portal, go to Policies > Special Events Policies and click Add New Special Events Policy.
- Enter a name and optional description for the policy, then select the Log Event and (optionally) Generate an Alert checkboxes for at least these security events:
- Server firewall modified
- Daemon compromised
(You can add any others that you think have direct security impact for you—for example, you might include "Multiple root accounts detected" if your servers never normally have multiple root accounts.)
An event will be logged (and you may be alerted) whenever a server's local firewall has been modified outside of Halo, or its Halo agent has been tampered with.
(If your server group already has an assigned special events policy—for example, if you have followed the steps in Alert on unauthorized firewall changes—you can add events to it instead of creating a new policy.)
- Click Save to save the policy.
- Assign the special events policy to your server group—navigate to the Portal Dashboard page, click Edit Details for your server group, and select your policy from the Special Events Policy drop-down list. Then click Save.
- After time has passed and you have conducted one or more scans, log into the Halo Portal and navigate to Servers > Security Events History.
This Portal page captures all logged events generated from your Halo-protected infrastructure, including both security-related events and audit-related events. So if you want to see only security events, conduct a search that filters for any or all of these event types (plus any others that you may have deemed security-related):
- Server firewall modified (special events policy violation)
- Daemon compromised (special events policy violation)
- Configuration rule failed (configuration policy violation)
- File integrity object signature changed (file integrity policy violation)
- File integrity object missing (file integrity policy violation)
- File integrity object added (file integrity policy violation)
- Use the filter fields to search for your desired events over the time range you wish and with whatever other restrictions you wish.
- View the search results. For some events, you can click More details to see additional information about the event. You can also sort by column to group events in various ways.
- You can interpret and address these events just like you interpret and address scan results. Basically, you first analyze the event to see if it could represent a true security threat to your organization.
If it is not a cause for concern, you take steps to ensure that the event does not show up in the future. If it could be a valid security issue, you either remediate the problem (if it is clearly not the result of malicious activity or intrusion) or you immediately isolate the server and report the event to your security forensics or emergency response team.
For detailed suggestions on how to address security events, see Act on Reported Events in Halo Issues, Events, and Alerts.