Configure the Log Inspection module to define its behavior for a policy. When designing
the module’s behavior and implementing it using the API, use the same background information
and guidance that is provided in About Log Inspection.
Policy objects contain two objects that you use to configure the Log Inspection module:
LogInspectionPolicyExtension
: Controls the module state (on or off), and identifies the applied Log Inspection rules.PolicySettings
: Policy settings include Log Inspection-related settings that control the runtime behavior of the module, such as the automatic application of recommendation scans, and event forwarding and storage. (See Configure policy and default policy settings.)
After you create these objects and add them to a
Policy
object, you use the PoliciesApi
class to modify an existing policy based on the Policy
object.The following JSON represents the data structure of an
LogInspectionPolicyExtension
object:{ "state": "on", "moduleStatus": {...}, "ruleIDs": [...] }
The
moduleStatus
property is read-only. It provides the runtime status of the Log Inspection module.
(See Report on Computer Status.)General steps
Use the following steps to configure the Log Inspection module:
-
Create a
LogInspectionPolicyExtension
object and set the properties. -
Create a
PolicySettings
object to configure runtime settings of the module. (See Configure policy and default policy settings.) -
Create a
Policy
object and add theLogInspectionPolicyExtension
andPolicySettings
objects. -
Use a
PoliciesApi
object to add or update the policy on Server & Workload Protection.
Create a
LogInspectionPolicyExtension object
to set the module state and assign rules:policy_config_log_inspection = api.LogInspectionPolicyExtension() policy_config_log_inspection.state = "on" policy_config_log_inspection.rule_ids = li_rules
Add the Log Inspection policy extension to a Policy object and then use a
PoliciesApi
object to modify a policy on Server & Workload Protection.policy = api.Policy() policy.log_inspection = policy_config_log_inspection policies_api = api.PoliciesApi(api.ApiClient(configuration)) modified_policy = policies_api.modify_policy(policy_id, policy, api_version)
The
policy_id
(or policyID
) parameter of
modifyPolicy
identifies the actual policy on Server & Workload Protection that is to be modified. This policy
is modified according to the policy object that is used as the
policy
parameter. Any properties of the
policy
parameter that are not set remain unchanged on the
actual policy.Example
The following example turns on Log Inspection and adds a log inspection rule for a
policy.
# Set the state
policy_config_log_inspection = api.LogInspectionPolicyExtension()
policy_config_log_inspection.state = "on"
# Add the rules
policy_config_log_inspection.rule_ids = li_rules
# Add to a policy
policy = api.Policy()
policy.log_inspection = policy_config_log_inspection
# Modify the policy on Server & Workload Protection
policies_api = api.PoliciesApi(api.ApiClient(configuration))
modified_policy = policies_api.modify_policy(policy_id, policy, api_version)
return modified_policy.id
TipAlso see the Modify a Policy operation in the API Reference.
|
TipIf you only need to add, remove, or list Log Inspection rules for a policy, use the
PolicyLogInspectionRuleAssignmentsApi class. The previous example uses the LogInspectionPolicyExtension , Policy , and PoliciesApi classes to add Log Inspection rules, but this can also be done using only the PolicyLogInspectionRuleAssignmentsApi class. For more information, see Policy Log Inspection Rule Assignments and Recommendations in the Policies section of the API Reference.
|
For information about authenticating API calls, see Authenticate with Server & Workload Protection.
Create a Log Inspection rule
Generally, to create a Log Inspection rule you perform the following steps:
Procedure
- Create an
IntegrityMonitoringRule
object. - Configure the rule properties to set the name, description, and the log file to inspect. Properties are described in Subrules.
- Use an
IntegrityMonitoringRulesApi
object to add the rule to Server & Workload Protection.
What to do next
Set the
Template
property of the rule object to indicate how you are defining the rule:- Basic: A single Log Inspection rule under a single rule group. You provide values for each property of the rule.
- Custom: A single or multiple rules under a single group or multiple groups. You provide
XML (base64-encoded) that defines the rule or rules. Set the value of the
CustomXML
property to the custom XML.
NoteConfiguration options of Intrusion Prevention, Integrity Monitoring, and Log Inspection
rules are
not accessible using the API. To change these options, in the Server & Workload Protection console open the rule
properties and click the Configuration tab.
|
To use the API to create a Log Inspection rule, send a POST request to
the
loginspectionrules
endpoint. (See the Create a Log Inspection Rule operation in the API Reference.)Create a basic Log Inspection rule
The following example configures a a basic log inspection rule and creates it on Server & Workload Protection.
# Create the rule object
li_rule = api.LogInspectionRule()
li_rule.name = name
li_rule.description = "A log inspection rule"
# Create a log file and add it to the rule
log_file = api.LogFile()
log_file.location = "C/logfile.log"
log_file.format = "eventlog"
log_files = api.LogFiles()
log_files.log_files = [log_file]
li_rule.log_files = log_files
# Define the rule
li_rule.template ="basic-rule"
li_rule.pattern = pattern
li_rule.pattern_type = "string"
li_rule.rule_description = "Rule for " + path + " and pattern " + pattern
li_rule.groups = [group]
# Add the rule to Server & Workload Protection
log_inspection_rules_api = api.LogInspectionRulesApi(api.ApiClient(configuration))
return log_inspection_rules_api.create_log_inspection_rule(li_rule, api_version)
For information about authenticating API calls, see Authenticate with Server & Workload Protection.
Create a log inspection rule using XML
The following example creates a Log Inspection rule from XML, and adds the rule to
Server & Workload Protection.
# Create the rule object
li_rule = api.LogInspectionRule()
li_rule.name = name
li_rule.description = "A log inspection rule"
# Create a log file and add it to the rule
log_file = api.LogFile()
log_file.location = "C/logfile.log"
log_file.format = "eventlog"
log_files = api.LogFiles()
log_files.log_files = [log_file]
li_rule.log_files = log_files
# Define the rule
li_rule.template ="custom"
li_rule.XML = xml
# Add the rule to Server & Workload Protection
log_inspection_rules_api = api.LogInspectionRulesApi(api.ApiClient(configuration))
return log_inspection_rules_api.create_log_inspection_rule(li_rule, api_version)
For information about authenticating API calls, see Authenticate with Server & Workload Protection.