Retrieve your Incapsula access and event logs from the Incapsula cloud repository and archive or push these events into your SIEM solution.
Incapsula creates the following comprehensive and detailed logs:
- Security logs provide a detailed alert for each suspicious event detected by the Incapsula proxy while protecting your network throughout its globally distributed network. All logs include the account ID and site ID references, which enables drill down into each individual customer/site.
- Access logs specify every request and response sent between your customers and the Incapsula proxy. This is all the traffic that would have been sent between end users and your origin server, including traffic that Incapsula served from its cache.
Incapsula supports CEF, LEEF, and W3C log formats and provides near real-time event reporting of in-depth event information, such as attacker geo-location and client application signature.
Log integration modes
Incapsula provides several modes of log integration:
Retrieve (Pull mode): Log integration API. Your logs are saved in a dedicated Incapsula cloud in a repository created for you. Incapsula enables you to upload a public key to encrypt your log files, activate Incapsula log collection, change the logging level, and download log files from the Incapsula storage repository to your network.
Log storage: Logs are aggregated at the Incapsula log repository and are kept up to 48 hours. The system uses a cyclic override process in which the first written file is the first to be deleted in order to leave space for a new log file.
Log index file: Incapsula provides a Log Index file that specifies the log files generated for you. This Index file lists which log files are available to download. The index file is not modified based on which log files have already been downloaded. It always contains the full list of available log files at any given moment.
Receive (Push mode): Automatic log integration via SFTP or Amazon S3. Your logs are pushed upon creation to your pre-defined repository - an AWS S3 bucket or an SFTP folder. Logs are automatically transferred from the Incapsula cloud repository to your repository. No log data is stored in Incapsula at any time.
You can choose to implement log encryption for Incapsula logs. Logs are encrypted by a private-public key pair that you generate, to help safeguard the privacy of your data when stored in the Incapsula cloud repository. The encryption is done automatically at the Incapsula cloud repository. You need to decrypt the log files after download.
If you are using the receive (push) option for log integration, the best practice recommendation discourages using encryption. As the logs are not written to the Incapsula cloud repository, the risk of log exposure is minimal.
Pre-defined Incapsula SIEM packages
Incapsula provides predefined SIEM application packages which automate the loading of events from the Incapsula cloud into your SIEM. These predefined packages come ready-made to manipulate and display each Incapsula log event in your SIEM dashboard in order to facilitate reporting automation, prioritized mitigation, and general event handling.
Packages are available for:
- HPE ArcSight (Express/ESM)
- McAfee Enterprise Security Manager
- Sumo Logic
Several additional platforms provide SIEM integrations with Incapsula:
- IBM QRadar
- AlienVault USM Anywhere
If you choose the retrieve mode to access the logs, a sample Python script and configuration file are available for download to assist you with the process. Incapsula does not maintain this script. It is hosted in GitHub and managed by the open source community.
For additional information please refer to Link