Create an event destination

  • 7016543
  • 28-May-2015
  • 28-May-2015

Environment

NetIQ Change Guardian 4.1.1
NetIQ Change Guardian 4.1

Situation

Send events to a third party SIEM.
Route events to Sentinel.
Change the default Event Destination that policies are assigned to policies.
Route events to multiple locations.


Resolution

To route events to different or multiple locations, an event destination must be created to represent each location.  Then the event destination(s) must be associated with the respective policies and assigned.  Follow the directions below modify or send events to a new or other location. 

Create/Edit an Event Destination
1.) Logon to the Change Guardian Policy Editor and select Settings/Event Destination from the menu bar.
2.) The Event Destination Configuration window will appear and display all of the currently available event destinations.  There should be one destination with a check beside it to indicate this is the default event destination that is currently associated with all policies.  If there is more than one default event destination checked please contact Technical Support to assist in resolving the issue.  Select the event destination that needs to be modified and then select edit or select New to create a new event destination. 
3.) If you are editing the event destination or creating new the information needed is the same.  Please enter or update the information needed based on the list below. 
Name: The name of Event Destination 
Model: To have events sent from the agent to the destination select REST Dispatcher
Description : Enter a description to represent the Event Destination. 
Host: Name or IP of the target machine where events should be sent. 
Port : 8443 is the default for Change Guardian and Sentinel if the third party SIEM requires a different port place that here. This will be the port that passes the generated event from the agent         to the target. 
User: Specify a user that has authority on the target machine. 
Password: Specify the password for the user. 
  ** Connection Usage: This area should only be filled out when creating a syslog Event Destination.
4.) Once the event destination is created or edited then ensure that the correct Event Destination is selected to be the default.  Only one can be the default and once it is selected will attached to every new policy assignment from the moment it is set as default.  The policies that are already assigned will continue to use the default destination that was in place when created.  
5.) Now that the Event Destination is created/edited it needs to be associated with the assigned policy for the agent to receive the destination information during the next heartbeat.  To do this go to the NetIQ Change Guardian node from the bottom left of the screen.  Then select the Policy Assignment node at the top left of the screen.  Select Asset Groups or Assets from the pull down menu depending on the preferred method of assignment.  
6.) Select the desired group or asset and then select the Assign Policies button at the bottom of the screen.  The assign Policies and Policy Sets screen will display. 
7.) Select Policy Sets or Policies tab at the top of the popup window then select the desired policy or policy set that should have the Event Destination modified or assigned. 
8.) Once the desired policy or policy set is selected the Advanced button will display at the bottom of the screen.  Select the Advanced button. 
9.) The advanced settings window will display and show all of the existing Event Destinations.  Select the appropriate event destinations that should be attached to the selected policy one or more can be selected.  Then select okay to save the changes.  
10.)  Once the changes have been saved the agent will pickup the updated or new Event Destination when the next heartbeat occurs.  

Cause

The Change Guardian product allows the agent to send events to multiple event destinations.  The agent utilizes the assigned event destinations once downloaded through the agent heartbeat.