# On-premise SIEM ## How to send Trustelem logs to an on-premise SIEM? Here we'll explain how to connect Trustelem to a SIEM or an agent capable of receiving logs and hosted in your infrastructure. To begin with, it's important to know that Trustelem **sends new events every 30s**, and has a queuing system if an error is detected during transmission. Now, how to do the setup? ### 1/ Install Trustelem Connect. More information is available here: [LDAP-Radius - Trustelem Connect](https://trustelem-doc.wallix.com/books/trustelem-administration/page/ldap-radius-trustelem-connect) For this usecase, you don't need to add any applications to the Trustelem Service, just a connector capable of joining your infra. You can use an existing Trustelem ### 2/ Add or edit the config.ini file. In the folder where Trustelem Connect service is installed, edit or create the config.ini file. Add the following lines: ``` outgoing_allowed = "true" [targert.choose_a_name] addr = "The IP/FQDN of your SIEM" port = "The port of your SIEM" ``` Don't forget to change the name, the IP/FQDN, and the port! ### 3/ Restart Trustelem AD Connect ### 4/ On the Trustelem Service enable the logs sending * Under **Send logs**, choose the date from which you’ll get the logs. * Click **Add send logs tasks** * Click **enabled** * Under **Target name**, enter the name choose on the config.ini file * Under **format**, choose **JSON** (strongly recommended, as Trustelem logs are not properly designed for syslog) * Under **types of logs to send**, choose **ALL** or a specific type of logs * Click **Save** ### Debug #### Linux * Use the command ```nc -l -k VM_IP available_port``` to build a server able to receive and display the logs *For instance: nc -l -k 10.10.126.203 6812* * Provide the IP and the Port on the config.ini file and restart Trustelem Connect service * Verify if Trustelem is sending the logs #### Windows * [Download Nmap](https://nmap.org/download.html) and install it **with ncat checked** * Using Powershell, go on the Nmap folder ```cd C:\Program Files (x86)\Nmap\``` * Use the command ```.\ncat.exe -l -k --allow VM_IP available_port``` to build a server able to receive and display the logs *For instance: .\ncat.exe -l -k --allow 10.10.126.232 6812* * Provide the IP and the Port on the config.ini file and restart Trustelem Connect service * Verify if Trustelem is sending the logs