Syslog - Epic Hyperspace CEF

Device Details

Prerequisites

Two Epic Interconnect Custom Message Queues must be setup prior to syslog configuration. See Epic User Auditing Guide for complete steps. (Page 48, Epic User Auditing Guide, Epic 2017)

Device Configuration Checklist

1. In the Epic Hyperspace user interface, go to Epic System Definitions, Security, Auditing Options, SIEM Syslog Settings, and SIEM Syslog Configuration Options. Then complete the following:
   1. Enter SIEM Host (LogRhythm System Monitor) IP or Hostname.
   2. Enter SIEM Port (Usually port 514 for Syslog).
   3. Set Logging Format to CEF (Common Event Format).
   4. Set Syslog Ending Character to New Line “\n”.
   5. Set Check Application Layer Response to Disabled.
   6. Choose how to send record pointers to the SIEM.
      • Hash. SHA-256 Hash Value – Recommended, Default
      • Keep. Record Pointer as it appears in Epic
      • Delete. Record Pointers not sent
      

      Record pointers include patient, hospital account and provider records. Hashing or not passing through record pointers can be used as an additional layer of protection for potentially confidential record pointers. It is recommended to use the hash option to have visibility into the Epic environment and retain confidentiality.
   7. (Optional) Set which auditing events are sent to LogRhythm in case of too much traffic.
      1. Edit Events List.
      2. To disable undesired events, press T.
      3. To quit, press Q.
2. Return to the SIEM Syslog Settings menu.
3. Select SIEM Syslog and set to Enabled.

Currently Supported Events