Configure the Bomgar Privileged Access SIEM Tool Plugin

Once the plugin has been deployed as described in Bomgar Privileged Access Middleware Engine Installation and Configuration, the plugin can then be configured and tested.

To begin configuration, launch the Middleware Administration Tool and click the clipboard icon next to the plugin name.

Bomgar Appliance

SIEM plugin

The first portion of the plugin configuration provides the necessary settings for communication between the plugin and the Bomgar Appliance. The configuration sections include:

  1. Plugin Configuration Name: Any desired value. Because multiple configurations can be created for a single plugin, allowing different environments to be targeted, provide a descriptive name to indicate how this plugin is to be used.
  2. Appliance Id: This can be left as Default or can be given a custom name. This value must match the value configured on the outbound event URL in the Bomgar Appliance. If outbound events are not being used, this value is still required, but any value may be used.
  3. Bomgar Appliance Host Name: The hostname of the Bomgar Appliance. Do not include https:// or other URL elements.
  4. Bomgar Integration API OAuth Client ID: When using API accounts in Bomgar PA 17.1 or newer, this field should contain the Client ID of the OAuth account.
  5. Bomgar Integration API OAuth Client Secret: When using API Accounts available in Bomgar PA 17.1 or newer, this field should contain the client Secret of the OAuth account.
  6. Bomgar Integration API User Name: The username of the API service account created on the Bomgar Appliance.
  7. Bomgar Integration API Password: The password of the above user.
  8. Locale Used for Bomgar API Calls: This value directs the Bomgar Appliance to return session data in the specified language.
  9. Disabled: Enable or disable this plugin configuration.
  10. Allow Invalid Certificates: Leave unchecked unless there is a specific need to allow. If enabled, invalid SSL certificates are allowed in calls performed by the plugin. This would allow, for example, self-signed certificates. This is not recommended in production environments.
  11. Use Non-TLS Connections: Leave unchecked unless it is the specific goal to use non-secure connections to the Bomgar Appliance. If checked, TLS communication is disabled altogether. If non-TLS connections are allowed, HTTP access must be enabled on the Bomgar /login > Management > API Configuration page. Using non-secure connections is discouraged.

    Note: When using OAuth authentication, TLS cannot be disabled.

  12. Outbound Events Types: Specify which events the plugin processes when received by the middleware engine. Keep in mind that any event types selected here must also be configured to be sent in Bomgar. The middleware engine receives any events configured to be sent in Bomgar but passes them off to the plugin only if the corresponding event type is selected in this section.
    1. Access Session End
  13. Polling Event Types: If network constraints limit connectivity between the Bomgar Appliance and the middleware engine such that outbound events cannot be used, an alternative is to use polling. The middleware engine regularly polls the Bomgar Appliance for any sessions that have ended since the last session was processed. At this time, only the Access Session End event type is supported.
  14. Polling Interval: Enter only if polling is used. This determines how often the middleware engine polls the Bomgar Appliance for sessions that have ended.

SIEM Tool Instance

These are the fields and selections needed to configure the plugin for integration with the SIEM tool. Please see the individual SIEM installation guides for guidance on what values to provide.

  1. Target SIEM System : Select the target SIEM tool from the list.
  2. SIEM Syslog Host: Enter the hostname or IP address of the SIEM instance that should receive the messages.
  3. SIEM Syslog Port: Enter the port used by the SIEM instance to receive syslog messages.
  4. SIEM Syslog Protocol: Select the appropriate protocol from the list.
  5. Events to Process: Bomgar session data can contain many different event types. All types are available; however, a subset may be desired in the SIEM tool. Select only the events you would like sent to the tool. Events matching unchecked event types are ignored.

Report Templates

On the Bomgar Middleware Engine server, in the <install dir>\Plugins\<integration>\Templates folder, there are multiple files ending with *.hbs. These files are used by the application to format the syslog messages transmitted to the SIEM tool each time a Bomgar session ends. The templates can be edited if desired.

Note: If changes need to be made to a template, it is a good idea to first back up the original in case the changes ever need to be reverted.

For additional information on Handlebars templates, see handlebarsjs.com.