Views:

Share XDR data with your syslog server by configuring the generic syslog connector.

The syslog connector is a generic SIEM connector, which allows you to send XDR data to your on-premises syslog server. The connector supports multiple syslog server connections.
Note
Note
Each Service Gateway appliance supports configuration with one syslog server. To enable multiple syslog server connections, deploy multiple Service Gateway appliances.
For syslog CEF mapping, see Syslog content mapping - CEF.
Category
Vendor
Associated Apps
SIEM
Not applicable
  • Workbench
  • Observed Attack Techniques
  • Audit Logs

Procedure

  1. Go to Workflow and AutomationThird-Party Integration.
  2. Click Syslog Connector (On-premises).
  3. In the Syslog Connector (On-premises) screen, enable Syslog Connector (On-premises) .
  4. Select the data to send to your syslog server(s).
    • Workbench alerts
    • Observed Attack Techniques
      If you select this data type, you can select one or more of the following event severity levels:
      • Critical
      • High
      • Medium
    • Audit logs
      If you select this data type, you can select one or more of the following log types:
      • Account
      • System
    Note
    Note
    You must select at least one data type.
  5. Click Connect Syslog Server.
  6. In the Syslog Server Connection panel, configure the following settings.
    Setting
    Description
    Server address
    Specify the IP address or FQDN for your syslog server.
    Syslog format
    Select the syslog format.
    Note
    Note
    Syslog Connector (On-premises) currently only supports Common Event Format (CEF).
    Protocol
    Select the connection protocol.
    Port
    Specify the port.
    Default port settings:
    • SSL/TLS: 6514
    • TCP: 601
    • UDP: 514
    Security Vendor
    (Optional) Specify the name of the SIEM vendor.
  7. (Optional) Select Use CA certificate to upload a CA certificate to use when connecting to the syslog server.
  8. (Optional) If your syslog server requires authenticated connections, select Server requires client authentication to upload the client certificate and specify the passphrase.
  9. (Optional) Select Include Company ID in each raw log.
  10. Select a Service Gateway appliance with the Syslog Connector service installed from the Service Gateway drop-down list.
  11. Click Test Connection to perform a connection test and verify settings.
  12. Click Connect to test and save your connection settings.
  13. In the Syslog Connector (On-premises) screen, click Save.