Digital Arts i-Filter
| SamurAI [Local] Collector | SamurAI [Cloud] Collector |
|---|---|
 |
This guide describes the steps required to configure Digital Arts i-Filter to send events to a Samurai Local Collector deployed in your environment.
Product Version Requirements
i-Filter must at least the following version:
- i-Filter for Linux v.10
Connectivity Requirements
| Source | Destination | Ports | Description |
|---|---|---|---|
| i-Filter | Samurai local collector | TCP/514 | For log transmission |
i-Filter Access Log Settings
Follow the steps outlined within each section below:
Access Log Settings
Login to the i-Filter management console
Go to System / Log / Access Log Settings
Configure the parameters below:
- Set Format Setting to Detailed Mode
- Specify Format as indicated in the table below.
| Output Order | Field Name | Field Content |
|---|---|---|
| 1 | output_log_date | Access log output date and time |
| 2 | process_id | Process number |
| 3 | product | Product |
| 4 | vendor | Vendor |
| 5 | ifilter_version | i-Filter version |
| 6 | realy_proxyip | Upper proxy server IP address |
| 7 | public_ip Source | IP address |
| 8 | src_ip | Client |
| 9 | hostname | Computer name |
| 10 | access_date | Access start date and time |
| 11 | status | HTTP response code |
| 12 | bytes_in | HTTP response size |
| 13 | bytes_out | HTTP request size |
| 14 | filter_action | Filter action |
| 15 | r_id | Rule object ID |
| 16 | virus_name | Virus name |
| 17 | ssl_parameter | SSL parameter encryption presence |
| 18 | post_info | File information at the time of POST |
| 19 | http_method | HTTP method |
| 20 | http_version | HTTP version |
| 21 | http_referer | HTTP referrer |
| 22 | http_user_agent | HTTP user agent |
| 23 | http_content_type_raw | HTTP content type |
| 24 | dest_ip | Destination IP address |
| 25 | dest_port | Destination port number |
| 26 | src_port | Source port number |
| 27 | client_port | Client port number |
| 28 | dest_host | Destination host name |
| 29 | user | Authentication user name (non-encoded) |
| 30 | group_name | Group name (non-encoded) |
| 31 | url | URL (non-encoded) |
| 32 | ss_time | Session time |
| 33 | au_status | Authentication status |
| 34 | filter_reason | Filter reason (non-encoded) |
| 35 | url_category_list | URL category list name (non-encoded) |
| 36 | web_service_name | Web service name (non-encoded) |
| 37 | http_response | HTTP response code (upper) |
| 38 | checksum | Checksum |
Log Output Settings
The log format must be set as follows. In this document it is displayed with line breaks but in reality it is a single line:
output_log_date="%ltl",process_id="%pid",product="ifilter",vendor="DigitalArts",ifilter_version="%vr"
,realy_proxyip="%pp",public_ip="%sip",src_ip="%>a",hostname="%>A",access_date="%tl",status="%hst",
bytes_in="%<st",bytes_out="%>st",filter_action="%bk",r_id="%rid",virus_name="%vi",ssl_parameter="%en"
,post_info="%pl",http_method="%rm",http_version="%rv",http_referer="%hrf",http_user_agent="%hua",
http_content_type_raw="%mt",dest_ip="%dip",dest_port="%dpt",src_port="%spt",client_port="%cpt",
dest_host="%hnm",user="%Dul",group_name="%Dgn",url="%Dru",ss_time="%Tss",au_status="%Aus",
filter_reason="%DFR",url_category_list="%DCT",web_service_name="%DWID",http_response="%hrst",checksum="%ccs"
Access Log Transfer Settings
From the i-Filter management console
Go to System / Log / Access Log Transfer Settings
Configure the parameters below:
- Enable the Access Log Transfer Function
- Set the Maximum Size per Line to 64 KB
Access Log Transfer Server Settings
From the i-Filter management console
Go to System / Log / Access Log Transfer Server Settings
Configure the parameters below:
- Enable the Effective Setting
- Specify the target set in Access Log Tansfer Settings for Access Log Settings
- Set the Address to the IP address of the Samurai Local Collector deployed on your network
- Set the Port Number to 514
- Set the Transfer Protocol to TCP
- Set the Transfer Format to syslog format
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the SamurAI MDR portal as we auto detect the vendor and product. The only reason you need to use the SamurAI MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the SamurAI MDR Portal and we shall get it updated.