SIEM Integration
Connect Django NIS2 Shield to your Security Information and Event Management system.
Log Formats
Django NIS2 Shield supports two log formats:
JSON (Default)
Structured JSON with HMAC signature. Best for Elasticsearch, Sumo Logic.
from django_nis2_shield import Nis2JsonFormatterCEF (Enterprise)
Common Event Format for enterprise SIEMs. Best for Splunk, QRadar, ArcSight.
from django_nis2_shield import Nis2CefFormatter
Elasticsearch
1. Get Index Mapping
from django_nis2_shield import get_elastic_mapping
mapping = get_elastic_mapping()
# Use this to create your index in Elasticsearch2. Configure Filebeat
# filebeat.yml
filebeat.inputs:
- type: log
paths:
- /var/log/django_nis2.json
json.keys_under_root: true
json.add_error_key: true
output.elasticsearch:
hosts: ["localhost:9200"]
index: "nis2-audit-%{+yyyy.MM.dd}"3. Use Docker Stack (Optional)
We include a ready-to-use Docker setup:
cd dashboard
docker compose up -d
# Kibana: http://localhost:5601
# Grafana: http://localhost:3000
Splunk
1. Enable CEF Format
# settings.py
from django_nis2_shield.cef_formatter import get_cef_logging_config
LOGGING = get_cef_logging_config('/var/log/django_nis2.cef')2. Get Splunk props.conf
from django_nis2_shield import get_splunk_props
print(get_splunk_props())
# Add to $SPLUNK_HOME/etc/system/local/props.conf3. Configure Data Input
# inputs.conf
[monitor:///var/log/django_nis2.cef]
sourcetype = django_nis2_shield
index = securityIBM QRadar
1. Get DSM Configuration
from django_nis2_shield import get_qradar_dsm
config = get_qradar_dsm()
print(config)
# Returns:
# {
# 'log_source_type': 'Universal DSM',
# 'format': 'CEF',
# 'event_mappings': {...}
# }2. Configure Log Source
- Go to Admin โ Log Sources
- Add a Universal DSM log source
- Set protocol to Syslog
- Forward CEF logs via rsyslog to QRadar
3. Forward Logs via Syslog
# /etc/rsyslog.d/nis2.conf
$ModLoad imfile
$InputFileName /var/log/django_nis2.cef
$InputFileTag nis2shield:
$InputFileStateFile stat-nis2
$InputFileSeverity info
$InputRunFileMonitor
*.* @@qradar.example.com:514โ Graylog
1. Get GELF Configuration
from django_nis2_shield import get_graylog_gelf_config
config = get_graylog_gelf_config()
# GELF level mapping:
# DEBUG=7, INFO=6, WARNING=4, ERROR=3, CRITICAL=22. Install GELF Handler
pip install pygelf3. Configure Logging
# settings.py
LOGGING = {
'version': 1,
'handlers': {
'graylog': {
'class': 'pygelf.GelfUdpHandler',
'host': 'graylog.example.com',
'port': 12201,
'_application': 'django-nis2-shield',
},
},
'loggers': {
'django_nis2_shield': {
'handlers': ['graylog'],
'level': 'INFO',
},
},
}ฮฃ Sumo Logic
1. Get Configuration
from django_nis2_shield import get_sumologic_config
config = get_sumologic_config()
# Includes:
# - source_category
# - field_extraction_query
# - dashboard_query_examples2. Example Dashboard Queries
-- Requests by Status
_sourceCategory=nis2/audit
| json auto
| timeslice 1m
| count by _timeslice, log.result.status
-- Top Users
_sourceCategory=nis2/audit
| json auto
| count by log.who.user_id
| top 10 log.who.user_id by _count
-- Security Events
_sourceCategory=nis2/audit
| json auto
| where log.result.status >= 400
| count by log.what.url๐ Datadog
1. Get Configuration
from django_nis2_shield import get_datadog_config
config = get_datadog_config()
# Returns log processing rules for:
# - IP โ network.client.ip
# - user_id โ usr.id
# - status โ http.status_code2. Configure Datadog Agent
# /etc/datadog-agent/conf.d/django_nis2.d/conf.yaml
logs:
- type: file
path: /var/log/django_nis2.json
service: django-nis2-shield
source: django
tags:
- env:production
- compliance:nis2๐ Real-time Alerting with Webhooks
In addition to SIEM integration, you can receive real-time alerts for security events.
๐ฌ
Slack
๐ฆ
Microsoft Teams
๐ฎ
Discord
See Configuration โ Webhooks for setup instructions.