Retrieve your Imperva access and event logs from the Imperva cloud repository and archive or push these events into your SIEM solution.
- The availability of this feature depends on your subscription. For more information or to upgrade your plan, contact an Imperva sales representative.
- Logs will include events that occur after the log integration is activated.
In this topic:
- The log integration process
- Set up log integration
- Enable log encryption
- Download the logs
- Switch integration modes
Imperva creates the following comprehensive and detailed logs:
- Security logs provide a detailed alert for each suspicious event detected by the Imperva proxy while protecting your network throughout its globally distributed network. All logs include the account ID and site ID references, which enables drill down into each individual customer/site.
- Access logs specify every request and response sent between your customers and the Imperva proxy. This is all the traffic that would have been sent between end users and your origin server, including traffic that Imperva served from its cache.
Imperva supports CEF, LEEF, and W3C log formats and provides event reporting of in-depth event information, such as attacker geo-location and client application signature.
Logs are typically synchronized within 10 minutes, although it may take up to 30 minutes depending on system load.
Log integration modes
Imperva provides several modes of log integration:
Retrieve (Pull mode): Log integration API. Your logs are saved in a dedicated Imperva cloud in a repository created for you. Imperva enables you to upload a public key to encrypt your log files, activate Imperva log collection, change the logging level, and download log files from the Imperva storage repository to your network.
Log storage: Logs are aggregated at the Imperva log repository and are kept up to 48 hours. The system uses a cyclic override process in which the first written file is the first to be deleted in order to leave space for a new log file.
Log index file: Imperva provides a Log Index file that specifies the log files generated for you. This Index file lists which log files are available to download. The index file is not modified based on which log files have already been downloaded. It always contains the full list of available log files at any given moment.
Receive (Push mode): Automatic log integration via SFTP or Amazon S3. Your logs are pushed upon creation to your pre-defined repository - an AWS S3 bucket or an SFTP folder. Logs are automatically transferred from the Imperva cloud repository to your repository. No log data is stored in Imperva at any time.
You can choose to implement log encryption for Imperva logs. Logs are encrypted by a private-public key pair that you generate, to help safeguard the privacy of your data when stored in the Imperva cloud repository. The encryption is done automatically at the Imperva cloud repository. You need to decrypt the log files after download.
If you are using the receive (push) option for log integration, the best practice recommendation discourages using encryption. As the logs are not written to the Imperva cloud repository, the risk of log exposure is minimal.
Predefined SIEM packages
Predefined SIEM application packages which automate the loading of events from the Imperva cloud into your SIEM are available. These predefined packages come ready-made to manipulate and display each Imperva log event in your SIEM dashboard in order to facilitate reporting automation, prioritized mitigation, and general event handling.
Note: These packages are developed and maintained independently of Imperva, and are therefore not supported by Imperva.
The functionality differs per package. Any requests for additional functions or bug fixes should be submitted through GitHub.
Packages are available for:
- Micro Focus ArcSight (Express/ESM)
- McAfee Enterprise Security Manager
- Sumo Logic
Several additional platforms provide SIEM integrations with Imperva:
- IBM QRadar
- AlienVault USM Anywhere
If you choose the retrieve mode to access the logs, a sample Python script and configuration file are available for download to assist you with the process. Imperva does not maintain this script. It is hosted in GitHub and managed by the open source community.
This section provides an overview of the log integration process. To configure Imperva log integration, do the following:
Activate logging and configure the log integration settings in the Imperva Cloud Security Console.
|Set up log integration|
(Optional) Enable log encryption.
|Enable log encryption|
(Optional) Install and configure the relevant SIEM package.
|Installing a SIEM Package|
|When using the retrieve/pull mode for log integration, retrieve the logs using the Imperva Cloud Application Security APIs.||Download the logs|
Enable and configure log integration in the Imperva Cloud Security Console.
Prerequisites: If you are implementing log integration using the push mode (automatic log integration via SFTP or Amazon S3), make sure that Imperva IP addresses can access your site. For details, see Incapsula IP addresses .
For accounts with sub accounts: Logs for sub accounts can be activated from both the parent account and the sub accounts, as follows:
|Accounts Log Levels page||
In the parent account: Activate logs for sub accounts. Logs are collected for all sites in the selected sub accounts and retrieved according to the method configured in the Logs Setup page in the parent account.
|Sites Log Levels page||
In a sub account: Activate logs for any sites in the sub account. Logs are collected for all sites in the sub account and retrieved according to the method configured in the Logs Setup page in the sub account.
To configure log integration:
- Log into your my.imperva.com account.
On the sidebar, click Logs > Log Setup.
Select a connection mode:
Mode Instructions Pull mode: Download logs using a script
Select Imperva API.
Click the links to download the API Connector and the Settings.Config Log configuration file. The Connector is a sample script you can use to download the logs after they are generated.
Under Connection, copy the API Key before exiting the window. You will need it later. If you forget to copy the key, you can come back to this window later and click Generate API Key to create a new key.
The Log Server URL field specifies the URL of your Imperva log repository in the Imperva cloud. Use this location to download the generated logs.
For more details, see Download the logs.
Push mode: Receive logs
Select SFTP or Amazon S3.
Fill in your credentials:
SFTP: Host (machine IP), User name, and Password.
Amazon S3: Your S3 Access key, Secret key, and Path, where path is the location of the folder where you want to store the logs. Enter the path in the following format: <Amazon S3 bucket name>/<log folder>. For example:
Click Test connection to perform a full testing cycle in which a test file will be transferred to your designated folder. The test file does not contain real data, and will be removed by Imperva when the transfer is complete.
Configure the additional options:
Option Instructions Format
Select the format for the log files: CEF (default), W3C, or LEEF.
By default, log files are compressed. Clear this option to keep the logs uncompressed.
Note: If you are using the pull mode to download your logs using the API Connector (Python script), compressed files must be used. Uncompressed files will result in an error (-3).
(Optional) Click Upload Key to upload a public key (2048-bits long) to Imperva. Your log files will be encrypted using this key.
For full details, see Enable log encryption.
Click a SIEM package to download.
Install the downloaded package. For details, see Installing a SIEM Package.
- Click Save to save all changes.
On the sidebar, click Log Levels. The following window displays:
Select a log level for each site to enable logging, or leave disabled. There are two levels of logs:
Security Logs include the Imperva security events log.
All Logs comprises a comprehensive log of every request and response (access logs), as well as the security events log.
- Verify that the relevant Imperva SIEM package (Splunk, HP ArcSight, McAfee, GrayLog or QRadar) is receiving events.
Imperva uses two layers for encrypting the log events:
- Imperva encrypts events using a symmetric key (AES 128).
- The symmetric key itself is encrypted asymmetrically using a public key (2048) provided during the public key configuration step.
To define Imperva log encryption:
Generate a private key by using the command line:
openssl genrsa -out Private.pem 2048
- The private key is created with a .pem extension. Change it to the .key extension.
- On the machine on which your SIEM application is installed, save the private key with the .key extension under the config/keys/1 library.
Generate a public key by using the command line:
openssl rsa -in Private.pem -outform PEM -pubout -out Public.pem
- Upload the public key to Imperva using one of the following options:
- Cloud Security Console: In Log Setup, use the Upload Key button. For details, see Set up log integration.
- API: Use the Upload Public Key API, as described in Traffic Statistics and Details API.
- Each time you upload a public key, it is numbered, starting from the single-digit 1. The next time you upload a public key, it will be number two and so on. This number later appears in the Imperva log file header, which indicates which key to use to decrypt the file. Always keep a copy of your old key versions, in case you want to decrypt historical log files.
- Each time you upload a public key, store the new private key in the new library at the origin server, as follows:
- Activate the log encryption feature using one of the following options:
To decrypt the logs, you will need to:
- Use the private key to decrypt the symmetric key.
- Use the symmetric key to decrypt the events in the log file sent by Imperva.
If you choose to manage your logs using the Imperva log integration API, you need to download the logs after they are generated. A sample Python script for implementing the API, referred to as the Connector, as well as installation and configuration instructions, are available in GitHub. The script is managed by the open source community.
Downloading Imperva Logs - Process overview
This section provides an overview of the process you need to follow to download Imperva logs.
Download the Imperva logs.index file:
In the Imperva Cloud Security Console, in the Logs > Log Setup page, under Connection, locate the Log Server URL.
To access the index file, append logs.index to the end of the Log Server URL, in the format <Log_Server_URL>/<Specific_Log_File>.
The index file lists the log entries that are currently available in the Imperva log repository.
Authentication for access to the logs is performed using the API ID and API Key.
- Send an HTTPS call for each file listed in the index file that you want to download. As new log files are generated, they are numbered sequentially, but may occasionally skip integers.
If using encryption, decrypt the files to read the contents, as follows:
Decrypt the key value with the appropriate private key, according to the publicKeyId value. For details, see Log File Structure.
Use the decrypted symmetric key to decrypt the log content.
Decompress the files.
This example shows how to decompress a log file using Linux bash commands:
csplit -sz 123_345.log -f 123_345.log. /\|\=\=\|/ sed -i '/|==|/d' 123_345.log.01 cat 123_345.log.00 > 123_345.log.decompressed zlib-flate -uncompress < 123_345.log.01 >> 123_345.log.decompressed rm 123_345.log.0*
You can switch between the retrieve (pull) and receive (push) modes of log integration. If you switch from the Incapsula API pull mode to SFTP or Amazon S3 push mode, Imperva continues upload attempts for 90 minutes, after which log files will be lost without the option of retrieval. After 30 minutes, a warning email is sent to your account, according to the e-mail settings defined in Account Settings. If Imperva fails to push the logs to SFTP or Amazon S3 within 90 minutes, another email notification is sent to indicate that action is required.