The tags beginning with vuln.beyondtrust identify log events generated by BeyondTrust Vulnerability Management and Password Safe.

Tag structure

The full vuln.beyondtrust tags have just three levels. The first two are fixed as vuln.beyondtrust. The third level identifies the event log type and must be one of appaudit, pbps, or retina.

Technology	Brand	Type
vuln	beyondtrust	appaudit pbps retina

Therefore, the valid tags include:

vuln.beyondtrust.appaudit
vuln.beyondtrust.pbps
vuln.beyondtrust.retina

When the events are delivered to Devo, they will be accessible in the Finder in tables of the same names.

For more information, read more about Devo tags.

Configure BeyondTrust event forwarding

In BeyondTrust solutions, you can set up a connector that enables syslog event forwarding. The events should be directed to a Devo relay where a relay rule applies the correct tag, then forwards the events securely to your Devo domain.

For information about setting up syslog event forwarding, see the BeyondInsight and Password Safe Third-Party Integration Guide.

Set up the Devo relay rule

You will need to set up just one rule that can correctly identify the event type and apply the correct Devo tag. These will be type-4 rules that apply a dynamic tag based upon specific data contained in the inbound event.

In this example we're using port 13007, but you should use the port on your relay that you specified when you set up the remote syslog server in BeyondTrust.

Source Port → 13007
Source Data → Agent ID: ([^ ]+)
Target Tag → vuln.beyondtrust.\\D1
Select the Stop Processing checkbox

Click Add Rule.

Within a few minutes, the new tables should appear in your Finder.

Related articles

Browser not supported