Skip to main content
Skip table of contents

Create a Remote Log Source - Imperva Incapsula

Topics Discussed

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine

  • Delete Log Management

  • Read Log Endpoints

  • Read Log Relays

  • Write Log Relays

  • Delete Log Relays

You can use this document to send Imperva Incapsula logs to Armor's Security Information & Event Management (SIEM).


Pre-deployment Considerations


To create a remote Log Relay, you must already have:

Configure the IAM Role


Configure The IAM Role For An EC2 Server
  1. Login into the AWS console.

  2. Go to the IAM service.

  3. Click Roles.

  4. Click Create role.

  5. Select AWS service, then select EC2 as the service that will use this role.

  6. Click Next: Permissions.

  7. Filter (search) policies on S3.

  8. Select the AmazonS3ReadOnlyAccess policy.

  9. Click Next: Tags.

  10. (Optional) Add tags.

  11. Click Next: Review.

  12. In Role Name, enter a name that indicates what the role is being used for.

  13. Click Create role.

Configure The IAM Role For A Non-EC2 Server
  1. Login into the AWS console.

  2. Go to the IAM service.

  3. Click Users.

  4. Click Add User.

  5. Enter the user name.

  6. For access type, select Programmatic access.

  7. Click Next: Permissions.

  8. Select Attach existing policies directly.

  9. Filter (search) policies on S3.

  10. Select the AmazonS3ReadOnlyAccess policy.

  11. Click Next: Tags.

  12. (Optional) Add tags.

  13. Click Next: Review.

  14. Click Create user.

  15. Copy the Access key ID and Secret access key, or download the user security credentials.

  16. Log into your log relay server.

  17. Run the following command to get the home path of the armor-logstash

    CODE
    ng: getent passwd armor-logstash
    • Sample results: armor-logstash:x:1002:1002::/opt/armor/logstash-6.7.0:/bin/bash.

  18. Copy the home path: /opt/armor/logstash-6.7.0.

  19. Navigate to this path: cd /opt/armor/logstash-6.7.0.

  20. Create the AWS folder: mkdir .aws.

  21. Create the credentials file in the new directory by running the following command:

    CODE
     nano .aws/credentials
  22. Add the following (default) to the file:

    CODE
    [default]
    # Your access key id
    aws_access_key_id = XXXXXXXXXXXXXXXXXXXX
    
    # Your secret access key
    aws_secret_access_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  23. Save the file.

  24. Restart logstash.

    • systemctl restart armor-logstash



Assign a Role to the EC2 Instance


  1. In the AWS console, go to the EC2 service.

  2. Click Instances to find the EC2 instance that is the log relay, then click the box next to the instance.

  3. Select Actions > Instance Settings > Attach/Replace IAM Role.

  4. In IAM role, select the role created.

  5. Click Apply.


Import Imperva Incapsula Logs from S3


  1. Log into your log relay server.

  2. Navigate to the /opt/armor/log-relay/conf.d folder.

  3. Create a new file using the following naming pattern: <pipeline_name>.<friendly_id>.env.

    • For example: pipeline-s3.incapsula.env

      • Pipeline name = "pipeline-s3"

      • Friendly_id (friendly name) = "incapsula"

  4. Add the following content to the newly created .env file. This will be used to populate the template and create the pipeline.

    CODE
    # The name of the S3 bucket
    bucket_name="example-bucket-name"
    
    # The region where the S3 bucket is provisioned
    region="example-region"
    
    # The type of logs being collected by this source
    log_type="imperva-incapsula"
    
    # The codec used to read the raw log files
    codec="line"
  5. After you have created the .env file and made any necessary changes, you will need to restart logstash.

    • systemctl restart armor-logstash


Verify Logs in AMP


In the Armor Management Portal (AMP), you can view the actual logs to confirm that the configuration was successful.

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Log & Data Management, and then select Search.

  3. In the Source column, review the source name to locate the newly created Imperva Incapsula remote log source.

    1. In the search field, you can also enter "incapsula" to locate Imperva Incapsula messages.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.