iWelcome supports 2 mechanisms to make events available to client's systems:
- Syslog Event Publisher
- Event Report generation
Events can be pushed to an external Syslog server or the Syslog compatible endpoint of a SIEM (Security Information and Event Management) solution. That server would be running locally on the customer's side and can aggregate events from different sources, one of which can be iWelcome. The events that are exported through the Syslog Event Publisher are the same events that are used to populate the timelines that are part of the Self-Service UI and the Service Desk UI. These timelines may, however, filter on the event categories and event data. The Syslog Event Publisher applies no such filtering. This allows the external Syslog server or SIEM server to do analysis and reporting on a maximum set of information.
iWelcome uses the Syslog protocol to push its events to a Syslog server. The characteristics of this integration are:
- Events are exported ('pushed') using the Syslog protocol over TCP (Transmission Control Protocol), UDP (User Datagram Protocol), SSL/TCP.
- Events are exported in a JSON format (as specified by RFC 8259.
NOTE: The format as specified by Syslog RFC 5424 is not supported.
- A VPN connection needs to be set up between the iWelcome environment and the customer's network the Syslog server is running on.
- The events contain personal information, such data which is not encrypted. Appropriate security measures must be taken by the customer to protect the users' privacy.
- For setting the Syslog feed up, iWelcome will need to know the target Syslog server IP address, port number and whether it should be TCP or UDP (default setting for Syslog in general). Then, also the routing should be adjusted so that communication between iWelcome and the Syslog Server goes via VPN.
Events can be published as JSON files. iWelcome generates daily a file containing the events of the previous day. The files can be accessed through a URL (e.g. '/files') which requires a username and a password. The files, which are encrypted require an additional password for unzipping. The exported lists of event types and event attributes can be configured.
About the events:
- iWelcome supports a range of events in various event categories. The event categories reflect a functional breakdown of iWelcome's functionality (the description of these functional areas can be found in the glossary).
- Every event has different event attributes (event data) depending on the event type.
- The presence of event attributes may also depend on the context in which the event was generated. Different events of the same event type may differ regarding the availability of event attributes.
- Different event types share event attributes, so events can be queried or filtered in the external Syslog server on having similar event attribute values. The most common example is filtering on userId, but also filtering on IP address is enabled.
- JSON may contain 'null' values. Future versions of iWelcome will probably omit event attributes if no value is available. For compatibility reasons, iWelcome advises to not depend on any processing logic on the presence of attributes having a 'null' value.
- Future releases of iWelcome may introduce new events, new event (sub)attributes. Any processing of iWelcome's events should anticipate such changes to have forward compatibility for such changes. iWelcome considers the introduction of these additional items as being 'backwards compatible'.