Syslogs
A syslog server is a common log collector that accepts a standard formatted syslog message. Each syslog message contains fields for facility, severity and message. Almost any SIEM can accept syslog formatted messages, although most SIEMs support other message formats. Multicloud Defense supports sending security events and traffic logs to a syslog server. The following are a list of events and logs that are forwarded:
-
Flow Logs (Traffic Summary)
-
Firewall Events (AppID, L4FW, GeoIP, MaliciousIP, SNI)
-
HTTPS Logs (HTTP, TLS)
-
Network Threats (AV, DLP, IDS/IPS)
-
Web Protection (WAF, L7 DoS)
At this time this list of included events and logs is mandatory and cannot be altered. If you configure syslogs to be forwarded then all of these logs are included in the report.
Note | Flow logs are deprecated in gateway version 2.10 and later releases. The information contained within each flow log is made available as part of the session information available in . |
Events can be forwarded to a syslog server using a log forwarding profile. Once created, the profile needs to be associated with a new or existing gateway in order for the events to be sent to the syslog Server. To create, modify or change the gateway association of a log forwarding profile, refer to Log Forwarding - Security Events and Traffic Logs.
Profile Parameters
|
Parameter |
Requirement |
Default |
Description |
|---|---|---|---|
|
Profile Name |
Required |
A unique name to use to reference the Profile. |
|
|
Description |
Optional |
A description for the Profile. |
|
|
SIEM Vendor |
Required |
Syslog |
The SIEM used for the profile. |
|
Server IP |
Required |
The IP address of the syslog server. |
|
|
Protocol |
Required |
UDP |
The protocol to use when sending messages (TCP / UDP). |
|
Port |
Required |
The port to use when sending messages. |
|
|
Format |
Required |
IETF |
The format of the messages (only IETF is supported). |
|
Flow Logs |
Required |
No |
Whether to send flow logs (Yes / No). |
|
Firewall Events |
Required |
No |
Whether to send firewall events (Yes / No). |
|
HTTPS Logs |
Required |
No |
Whether to send HTTPS logs (Yes / No). |
|
Network Threats |
Required |
Emergency |
The lowest severity level to send network threats. |
|
Web Attacks |
Required |
Emergency |
The lowest severity level to send web attacks. |
Note | The following levels of severity (highest to lowest) are available: |
-
Emergency
-
Alert
-
Criticial
-
Error
-
Warning
-
Notice
-
Info
-
Debug
All events for the category that contain the severity level specified or higher will be sent to the syslog server.