Log Forwarding - Syslog¶
A Syslog Server is a common log collector that accepts a standard formatted Syslog message. Each Syslog message contains fields for Facility, Severity and Message. Almost any SIEM can accept Syslog formatted messages, although most SIEMs support other message formats. Valtix supports sending Security Events and Traffic Logs to a Syslog Server. The following are a list of Events/Logs that can be forwarded:
- Flow Logs (Traffic Summary)
- Firewall Events (AppID, L4FW, GeoIP, MaliciousIP, SNI)
- HTTPS Logs (HTTP, TLS)
- Network Threats (AV, DLP, IDS/IPS)
- Web Protection (WAF, L7 DoS)
Flow Logs are deprecated in 2.10 and later Gateway releases. The information contained within each Flow Log is made available as part of the session information available in Traffic Summary -> Logs.
Events can be forwarded to a Syslog Server using a Log Forwarding Profile. Once created, the Log Forwarding Profile needs to be associated with a new or existing Gateway in order for the events to be sent to the Syslog Server. To create, modify or change the Gateway association of a Log Forwarding Profile, refer to Log Forwarding - Security Events and Traffic Logs.
|Profile Name||Required||A unique name to use to reference the Profile|
|Description||Optional||A description for the Profile|
|SIEM Vendor||Required||Syslog||The SIEM used for the Profile|
|Server IP||Required||The IP address of the Syslog Server|
|Protocol||Required||UDP||The protocol to use when sending messages (TCP / UDP)|
|Port||Required||The port to use when sending messages|
|Format||Required||IETF||The format of the messages (only IETF is supported)|
|Flow Logs||Required||No||Whether to send Flow Logs (Yes / No)|
|Firewall Events||Required||No||Whether to send Firewall Events (Yes / No)|
|HTTPS Logs||Required||No||Whether to send HTTPS Logs (Yes / No)|
|Network Threats||Required||Emergency||The lowest severity level to send Network Threats|
|Web Attacks||Required||Emergency||The lowest severity level to send Web Attacks|
The levels of severity (highest to lowest) available are:
Debug. All events for the category that contain the severity level specified or higher will be sent to the Syslog Server.