Skip to content

Log Forwarding - Syslog

Overview

A Syslog Server is a common log collector that accepts a standard formatted Syslog message. Each Syslog message contains fields for Facility, Severity and Message. Almost any SIEM can accept Syslog formatted messages, although most SIEMs support other message formats. Valtix supports sending Security Events and Traffic Logs to a Syslog Server. The following are a list of Events/Logs that can be forwarded:

  • Flow Logs (Traffic Summary)
  • Firewall Events (AppID, L4FW, GeoIP, MaliciousIP, SNI)
  • HTTPS Logs (HTTP, TLS)
  • Network Threats (AV, DLP, IDS/IPS)
  • Web Protection (WAF, L7 DoS)

Tech Notes

Flow Logs are deprecated in 2.10 and later Gateway releases. The information contained within each Flow Log is made available as part of the session information available in Traffic Summary -> Logs.

Events can be forwarded to a Syslog Server using a Log Forwarding Profile. Once created, the Log Forwarding Profile needs to be associated with a new or existing Gateway in order for the events to be sent to the Syslog Server. To create, modify or change the Gateway association of a Log Forwarding Profile, refer to Log Forwarding - Security Events and Traffic Logs.

Profile Parameters

Parameter Deonticity Default Description
Profile Name Required A unique name to use to reference the Profile
Description Optional A description for the Profile
SIEM Vendor Required Syslog The SIEM used for the Profile
Server IP Required The IP address of the Syslog Server
Protocol Required UDP The protocol to use when sending messages (TCP / UDP)
Port Required The port to use when sending messages
Format Required IETF The format of the messages (only IETF is supported)
Flow Logs Required No Whether to send Flow Logs (Yes / No)
Firewall Events Required No Whether to send Firewall Events (Yes / No)
HTTPS Logs Required No Whether to send HTTPS Logs (Yes / No)
Network Threats Required Emergency The lowest severity level to send Network Threats
Web Attacks Required Emergency The lowest severity level to send Web Attacks

Tech Notes

The levels of severity (highest to lowest) available are: Emergency Alert Critical Error Warning Notice Info Debug. All events for the category that contain the severity level specified or higher will be sent to the Syslog Server.