Configure Log Inspection

Configure the Log Inspection module to define its behavior for a policy. When designing the modules behavior and implementing it using the API, use the same background information and guidance that is provided in the Deep Security Help Center.

Policy objects contain two objects that you use to configure the Log Inspection module:

  • LogInspectionPolicyExtension: Controls the module state (on or off), and identifies the applied Log Inspection rules.
  • PolicySettings: Policy settings include Log Inspection-related settings that control the runtime behavior of the module, such as the automatic application of recommendation scans, and event forwarding and storage.(See Configure policy and default policy settings.)

After you create these objects and add them to a Policy object, you use the PoliciesApi class to modify an existing policy based on the Policy object.

The following JSON represents the data structure of an LogInspectionPolicyExtension object:

{
    "state": "on",
    "moduleStatus": {...},
    "ruleIDs": [...]
}

The moduleStatus property is read-only. It provides the runtime status of the Log Inspection module. (See Report on Computer Status.)

General steps

Use the following steps to configure the Log Inspection module:

  1. Create aLogInspectionPolicyExtension object and set the properties.
  2. Create a PolicySettings object to configure runtime settings of the module. (See Configure policy and default policy settings.)
  3. Create a Policy object and add the LogInspectionPolicyExtension and PolicySettings objects.
  4. Use a PoliciesApi object to add or update the policy on Deep Security Manager.

Create aLogInspectionPolicyExtensionobject to set the module state and assign rules:

Python
policy_config_log_inspection = api.LogInspectionPolicyExtension()
policy_config_log_inspection.state = "on"
policy_config_log_inspection.rule_ids = li_rules
JavaScript
const logInspectionPolicyExtension = new api.LogInspectionPolicyExtension();
logInspectionPolicyExtension.state = api.LogInspectionPolicyExtension.StateEnum.on;
logInspectionPolicyExtension.ruleIDs = liRules;
Java
LogInspectionPolicyExtension logInspectionPolicyExtension = new LogInspectionPolicyExtension();
logInspectionPolicyExtension.setState(StateEnum.ON);
logInspectionPolicyExtension.addRuleIDsItem(liRule);

Add the Log Inspection policy extension to aPolicyobject and then use aPoliciesApiobject to modify a policy on Deep Security Manager.

Python
policy = api.Policy()
policy.log_inspection = policy_config_log_inspection

policies_api = api.PoliciesApi(api.ApiClient(configuration))
modified_policy = policies_api.modify_policy(policy_id, policy, api_version)
JavaScript
const policy = new api.Policy();
policy.logInspection = logInspectionPolicyExtension;

const policiesApi = new api.PoliciesApi();
return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false });
Java
Policy policy = new Policy();
policy.setLogInspection(logInspectionPolicyExtension);

PoliciesApi policiesApi = new PoliciesApi();
Policy modifiedPolicy = policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion);

The policy_id (or policyID) parameter of modifyPolicy identifies the actual policy on Deep Security Manager that is to be modified. This policy is modified according to the policy object that is used as the policy parameter. Any properties of the policy parameter that are not set remain unchanged on the actual policy.

Example

The following example turns on Log Inspection and adds a log inspection rule for a policy.

Python
View source
# Set the state
policy_config_log_inspection = api.LogInspectionPolicyExtension()
policy_config_log_inspection.state = "on"

# Add the rules
policy_config_log_inspection.rule_ids = li_rules

# Add to a policy
policy = api.Policy()
policy.log_inspection = policy_config_log_inspection

# Modify the policy on Deep Security Manager
policies_api = api.PoliciesApi(api.ApiClient(configuration))
modified_policy = policies_api.modify_policy(policy_id, policy, api_version)

return modified_policy.id
JavaScript
View source
// Turn on Log Inspection
const logInspectionPolicyExtension = new api.LogInspectionPolicyExtension();
logInspectionPolicyExtension.state = api.LogInspectionPolicyExtension.StateEnum.on;

// Add the rule
logInspectionPolicyExtension.ruleIDs = liRules;

// Add to a policy
const policy = new api.Policy();
policy.logInspection = logInspectionPolicyExtension;

// Modifies the policy on Deep Security Manager
const modify = () => {
  const policiesApi = new api.PoliciesApi();
  return policiesApi.modifyPolicy(policyID, policy, apiVersion, { overrides: false });
};

modify()
  .then(modifiedPolicy => {
    resolve(modifiedPolicy.ID);
  })
  .catch(error => {
    reject(error);
  });
Java
View source
// Turn on Log Inspection
LogInspectionPolicyExtension logInspectionPolicyExtension = new LogInspectionPolicyExtension();
logInspectionPolicyExtension.setState(StateEnum.ON);

// Add the rule ID
logInspectionPolicyExtension.addRuleIDsItem(liRule);

// Add to a policy
Policy policy = new Policy();
policy.setLogInspection(logInspectionPolicyExtension);

// Update the policy on Deep Security Manager
PoliciesApi policiesApi = new PoliciesApi();
return policiesApi.modifyPolicy(policyId, policy, Boolean.FALSE, apiVersion).getID();

Also see the Modify a Policy operation in the API Reference.

If you only need to add, remove, or list Log Inspection rules for a policy, use the PolicyLogInspectionRuleAssignmentsApi class. The previous example uses the LogInspectionPolicyExtension, Policy, and PoliciesApi classes to add Log Inspection rules, but this can also be done using only the PolicyLogInspectionRuleAssignmentsApi class. For more information, see Policy Log Inspection Rule Assignments and Recommendations in the Policies section of the API Reference.

For information about authenticating API calls, see Authenticate with Deep Security Manager.

Create a Log Inspection rule

Generally, to create a Log Inspection rule you perform the following steps:

  1. Create an IntegrityMonitoringRule object.
  2. Configure the rule properties to set the name, description, and the log file to inspect. Properties are described in the Deep Security Help Center.
  3. Use an IntegrityMonitoringRulesApi object to add the rule to Deep Security Manager.
Set the Template property of the rule object to indicate how you are defining the rule:
  • Basic: A single Log Inspection rule under a single rule group. You provide values for each property of the rule.
  • Custom: A single or multiple rules under a single group or multiple groups. You provide XML (base64-encoded) that defines the rule or rules. Set the value of the CustomXML property to the custom XML.
Configuration options of Intrusion Prevention, Integrity Monitoring, and Log Inspection rules are not accessible using the API. To change these options, in the Deep Security Manager console open the rule properties and click the Configuration tab.

To use the API to create a Log Inspection rule, send a POST request to theloginspectionrules endpoint. (See the Create a Log Inspection Rule operation in the API Reference.)

Create a basic Log Inspection rule

The following example configures a a basic log inspection rule and creates it on Deep Security Manager.

Python
View source
# Create the rule object
li_rule = api.LogInspectionRule()
li_rule.name = name
li_rule.description = "A log inspection rule"

# Create a log file and add it to the rule
log_file = api.LogFile()
log_file.location = "C/logfile.log"
log_file.format = "eventlog"
log_files = api.LogFiles()
log_files.log_files = [log_file]
li_rule.log_files = log_files

# Define the rule
li_rule.template ="basic-rule"
li_rule.pattern = pattern
li_rule.pattern_type = "string"
li_rule.rule_description = "Rule for " + path + " and pattern " + pattern
li_rule.groups = [group]

# Add the rule to Deep Security Manager
log_inspection_rules_api = api.LogInspectionRulesApi(api.ApiClient(configuration))

return log_inspection_rules_api.create_log_inspection_rule(li_rule, api_version)
JavaScript
View source
// Create the rule object and set name
const liRule = new api.LogInspectionRule();
liRule.name = name;

// Create the LogFile and add to rule
const logFile = new api.LogFile();
logFile.location = path;
logFile.format = "eventlog";
const logFiles = new api.LogFiles();
logFiles.logFiles = [logFile];
liRule.logFiles = logFiles;

// Define the rule
liRule.template = "basic-rule";
liRule.pattern = pattern;
liRule.patternType = "string";
liRule.ruleDescription = "Rule for " + path + " and pattern " + pattern;
liRule.groups = [group];

// Creates on Deep Security Manager
const createRule = () => {
  const logInspectionRulesApi = new api.LogInspectionRulesApi();
  return logInspectionRulesApi.createLogInspectionRule(liRule, apiVersion);
};

createRule()
  .then(data => {
    resolve(data);
  })
  .catch(error => {
    reject(error);
  });
Java
View source
// Create the rule and add basic information
LogInspectionRule liRule = new LogInspectionRule();
liRule.setName("Inspect Log for Error");
liRule.setDescription("A simple rule.");

// Log files to inspect
LogFile logFile = new LogFile();
logFile.setLocation("C:\logfile.log");
logFile.setFormat(LogFile.FormatEnum.EVENTLOG);
LogFiles logFiles = new LogFiles();
logFiles.addLogFilesItem(logFile);
liRule.setLogFiles(logFiles);

// Template type is Basic Rule
liRule.setTemplate(LogInspectionRule.TemplateEnum.BASIC_RULE);

// Set the pattern
liRule.setPattern("^ERROR");
liRule.setPatternType(LogInspectionRule.PatternTypeEnum.STRING);

// Description and group
liRule.setRuleDescription("Test Rule Description");
List<String> groups = new ArrayList<>();
groups.add("Windows Rules");
liRule.setGroups(groups);

// Add the rule to Deep Security Manager
LogInspectionRulesApi liRulesApi = new LogInspectionRulesApi();
liRule = liRulesApi.createLogInspectionRule(liRule, apiVersion);

For information about authenticating API calls, see Authenticate with Deep Security Manager.

Create a log inspection rule using XML

The following example creates a Log Inspection rule from XML, and adds the rule to Deep Security Manager.

Python
View source
# Create the rule object
li_rule = api.LogInspectionRule()
li_rule.name = name
li_rule.description = "A log inspection rule"

# Create a log file and add it to the rule
log_file = api.LogFile()
log_file.location = "C/logfile.log"
log_file.format = "eventlog"
log_files = api.LogFiles()
log_files.log_files = [log_file]
li_rule.log_files = log_files

# Define the rule
li_rule.template ="custom"
li_rule.XML = xml

# Add the rule to Deep Security Manager
log_inspection_rules_api = api.LogInspectionRulesApi(api.ApiClient(configuration))

return log_inspection_rules_api.create_log_inspection_rule(li_rule, api_version)
JavaScript
View source
// Create the rule object and set name
const liRule = new api.LogInspectionRule();
liRule.name = name;

// Create the LogFile and add to rule
const logFile = new api.LogFile();
logFile.location = path;
logFile.format = "eventlog";
const logFiles = new api.LogFiles();
logFiles.logFiles = [logFile];
liRule.logFiles = logFiles;

// Define the rule
liRule.template = "custom";
liRule.ruleXML = xml;

// Creates the rule on Deep Security Manager
const createRule = function() {
  const logInspectionRulesApi = new api.LogInspectionRulesApi();
  return logInspectionRulesApi.createLogInspectionRule(liRule, apiVersion);
};

createRule()
  .then(data => {
    resolve(data);
  })
  .catch(error => {
    reject(error);
  });
Java
View source
// Create the rule and add basic information
LogInspectionRule liRule = new LogInspectionRule();
liRule.setName("Inspect Log for Error XML");
liRule.setDescription("A simple rule.");

// Log files to inspect
LogFile logFile = new LogFile();
logFile.setLocation("C:\logfile.log");
logFile.setFormat(LogFile.FormatEnum.EVENTLOG);
LogFiles logFiles = new LogFiles();
logFiles.addLogFilesItem(logFile);
liRule.setLogFiles(logFiles);

// Template type is Custom
liRule.setTemplate(LogInspectionRule.TemplateEnum.CUSTOM);

// Set the XML
liRule.setRuleXML(xml);

// Add the rule to Deep Security Manager
LogInspectionRulesApi liRulesApi = new LogInspectionRulesApi();
return liRulesApi.createLogInspectionRule(liRule, apiVersion);

For information about authenticating API calls, see Authenticate with Deep Security Manager.