Configuring CEF Log Integration

By default, SIEM log integration is disabled. You cannot enable both ITM On-Prem (ObserveIT) logging and SIEM logging simultaneously, since this might cause serious performance issues.

To configure ITM On-Prem (ObserveIT) CEF log integration:

  1. Navigate to Configuration > Integrations > Integrated SIEM and click the SIEM Log Integration tab.

  2. Activate CEF log integration by selecting the Enable export to ArcSight format check box.

  3. In the Log data section, select at least one of the following data types for monitoring:

    • Windows and Unix Activity - selected by default.

    • Activity Alerts - selected by default.

    • DBA Activity

    • System Events

    • In-App Elements

    • Audit

    • Audit Sessions

    • Audit Logins

    • Audit Configuration Changes

    All selected log type data will be stored in one file; by default, Observeit_activity_log.cef.

  4. In the Log file properties section, specify the log file location and log file name:

    1. In the Folder location field, accept the default log file location C:\Program File\ObserveIT\NotificationService\LogFiles\ArcSight or specify a new path to the monitor log files. When changing the default log folder location, new session data will be stored in the new path; existing data will remain in the old location.

      The user account used by the ITM On-Prem (ObserveIT) Notification Service must have read and write permissions for the path. If the user account does not have sufficient permissions to create the directory or write to the log file, a system event is generated. In addition, the log file size is limited to a predefined size; if the file size exceeds the maximum defined size, a system event will be generated. For further details, see System Events.

    2. In the File name field, use the default log file name Observeit_activity_log.cef or specify a new one.

  5. In the Log file cleanup section, schedule the frequency for clearing the log file:

    Select Run daily at, and specify the required time of day for the daily cleanup.

    -or-

    Select Run every, and specify the required number of days, hours, or minutes for the cleanup.

  6. Click Save to save the settings.

    After a few minutes, the log file will be generated. A new log file will be created according to the scheduled cleanup frequency.

See ITM On-Prem (ObserveIT) Data Integration.