Set up integration with RuSIEM SIEM-system

If you do not have RuSIEM installed, install it.
Optional: configure ports for receiving audit logs in RuSIEM.
Create a service user.
Get an IAM token for the account.
Get a script to export audit logs.
Set up and run the script.
Set up the receipt of audit logs in RuSIEM.

1. Install RuSIEM

Open the CLI.

Install RuSIEM:

wget https://files.rusiem.tech/nextcloud/s/j6wcHzzaqT8w5wc/download -O install.sh; bash ./install.sh

Specify system parameters in the interactive menu. See RuSIEM documentation for more details.

2. Optional: change the port for receiving audit logs in RuSIEM

Authorize in the RuSIEM web-interface.
Go to Settings → Microservices Setup.
Check the checkbox Expert mode.
Click .
Change the port number in the syslog configuration.
Click Save.

3. Create a service user

Add a service user with permission in the access area Account and role member.

Users can be added by the Account Owner or users with the role of iam.admin.

4. Get an IAM token for the account

Get an IAM token for the account for the service user you created in step 3.

5. Get a script for exporting audit logs

We have prepared a script for exporting audit logs - it allows you to upload logs to a file and send them to a specified IP address or endpoint via syslog or HTTP/HTTPS.

Open the CLI.
Clone the script repository:
```
git clone https://github.com/t-rex-general/auditlog-integration.git
```
The script files will be saved to the auditlog-integration folder in the working directory.

6. Set up and run the script

Open the CLI.
Create a virtual environment:
```
python3 -m venv .venv
```
Activate the virtual environment:
```
source .venv/bin/activate
```
Go to the script folder:
```
cd auditlog-integration
```
Install the necessary dependencies:
```
pip3 install -r requirements.txt
```
Create an .env configuration file:
```
touch .env
```
Open the .env configuration file:
```
nano .env
```
Fill in the .env configuration file:

8.1 Add a block with parameters for authentication in the API of the Audit-Logs service:
```
AUDIT_LOGS_URL=<base_url>/v1/logs
USERNAME=<username>
PASSWORD=<password>
ACCOUNT_ID=<account_id>
```
Specify:
- <base_url> - URL to access the audit logs API in the required pool. You can see the list of URLs in the instructions List of URLs;
- <username> - the name of the service user you created in step 3;
- <password> - password of the service user. If the password contains the characters [ ] \ ^ $. |? * + () and escape them by putting a backslash in front of the character. \;
- <account_id> - account number, can be viewed in control panel in the upper right corner.
8.2 Add a block with parameters for sending events:
```
TRANSPORT_TYPE=syslog
SYSLOG_ENABLED=true
SYSLOG_HOST=<syslog_host>
SYSLOG_PORT=<syslog_port>
```
Specify:
- <syslog_host> - IP address of the SIEM system;
- <syslog_port> - SIEM system port.
8.3 Add a line with the API invocation interval:
```
POLL_INTERVAL=<poll_interval>
```
Specify <poll_interval> - interval of API call in seconds (default is 30).

8.4. Exit the save file by successively pressing Ctrl+X → Y → Enter.
Run the script:
```
python3 main.py
```

7. Set up audit-logs reception in RuSIEM

In the RuSIEM web-interface go to the Events → All Events section.
In the top pane, click Options.
Check the Search by Unparsed Events checkbox.
Click Save.
In the Filter Settings field, enter your Selectel account number and click . The account number can be viewed in the control panel in the upper right corner. The RuSIEM web interface will display events from the Audit Logs service.