Last Updated: 2024-08-27
Purpose
The focus of this article is to provide a technical overview of Syslog integration, emphasizing its significance in enhancing asset monitoring for organizations.
Introduction
Syslog Integration enables Outscan to forward system-and-event logs to an external Syslog server for centralized, real-time asset monitoring and security auditing. It supports configurable transport protocols (UDP, TCP, and TCP with TLS), definition of facility and severity levels, host and port settings, and optional certificate-based encryption. Proper setup ensures that events triggered by notification rules are transmitted reliably to SIEMs or log collectors for alerting, compliance, or incident analysis.
Description
Syslog, short for System Logging Protocol, is a standardized protocol used for sending and receiving log and event messages in a networked environment. It plays a crucial role in effective IT management and security by collecting, storing, and analyzing log data generated by various devices, applications, and systems within an organization's IT infrastructure.
Here is an overview of what Syslog is and what Syslog integration can do:
-
Centralized Log Management: Syslog integration enables organizations to centralize the collection of log and event data from a wide range of sources, including servers, routers, switches, firewalls, and applications. This centralization streamlines the monitoring and analysis of log information, making it easier to identify issues and security threats.
-
Real-time Monitoring: Syslog allows for real-time monitoring of critical events and activities across the network. It provides immediate visibility into system behavior, potential security incidents, and performance anomalies. This proactive monitoring helps organizations respond swiftly to emerging issues.
-
Security and Compliance: Syslog integration is a fundamental component of security information and event management (SIEM) solutions. It assists in detecting and mitigating security breaches, intrusions, and unauthorized access attempts. Additionally, Syslog data can be crucial for compliance with industry regulations and standards, as it provides an audit trail of system activities.
-
Troubleshooting and Diagnostics: Syslog logs offer a valuable resource for troubleshooting and diagnostics. When issues arise, administrators can analyze Syslog data to pinpoint the root causes, track changes, and resolve problems efficiently.
-
Alerting and Notifications: Organizations can configure Syslog integration to generate alerts and notifications based on predefined criteria. This feature ensures that administrators are promptly informed of critical events, enabling them to take immediate action.
-
Historical Analysis: Syslog data can be retained for historical analysis. By analyzing historical logs, organizations can identify patterns, trends, and recurring issues, helping them make informed decisions regarding system improvements and optimizations.
-
Integration with Third-party Tools: Syslog can be seamlessly integrated with various security and monitoring tools, enabling organizations to extend their capabilities and enhance their incident response procedures.
-
Scalability: Syslog integration scales easily to accommodate the growing volume of log data generated by expanding IT infrastructures. It ensures that organizations can continue to effectively manage and monitor their systems as they grow.
About the Solution
This integration allows the platform to transmit events to an external Syslog server, facilitating centralized monitoring and analysis. To ensure the effective manifestation of these events in the configured system, it is crucial to set up appropriate notification settings. Configuring these settings entails defining rules and parameters for triggering notifications when specific events or thresholds are reached, ensuring the prompt communication of relevant information to the designated integration. For detailed guidance on configuring these notification settings, refer to Notifications Settings.
Add a Syslog Integration
To add a new integration, follow these steps:
-
Click on the green
-
Select the desired integration configuration type from the drop-down menu.
-
Fill in the necessary parameters as described in the Integration Fields Overview section.
-
Click Add to finish the integration.
Integration Fields Overview
|
Option |
Description |
|---|---|
|
Integration |
The selected integration type determines the available fields, which vary based on the chosen integration. |
|
Name* |
Descriptive name of the integration. |
|
Host* |
Remote host implementing Syslog. |
|
Format |
Specifies the structure for logging and transmitting event messages |
|
Facility* |
Defines categorization of log messages, indicating the source or type of the logged event. They provide a way to differentiate between various components of a Linux system. A facility code is used to specify the type of system that is logging the message. See Facility section for available . |
|
Severity |
Specifies the level of importance or urgency of a log message, aiding in the categorization and prioritization of events.
|
|
Transport type |
Determines the protocol and method used to transmit log messages, defining how data is sent from the source to the syslog server or collector.
|
|
Port* |
Specifies network port number through which syslog messages are sent and received. |
|
TLS |
Determines if cryptographic protocol is to be used for communication. This option is only available if TCP is the chosen transport type. |
|
Upload certificate |
Digital security credential, often self-signed, that is used to establish a secure and trusted connection between the sender and the syslog server, ensuring data integrity and confidentiality during transmission. This option is only available if TLS is enabled. |
*) Mandatory
Facility
Facility and Severity values are not normative but often used. They are described in the following tables for purely informational purposes. Facility values MUST be in the range of 0 to 23 inclusive. (1
|
Facility Code |
Keyword |
Description |
|---|---|---|
|
0 |
kern |
Kernel messages |
|
1 |
user |
User-level messages |
|
2 |
|
Mail system |
|
3 |
daemon |
System daemons |
|
4 |
auth |
Security/authentication messages |
|
5 |
syslog |
Messages generated internally by syslogd |
|
6 |
lpr |
Line printer subsystem |
|
7 |
news |
Network news subsystem |
|
8 |
uucp |
UUCP subsystem |
|
9 |
cron |
Cron subsystem |
|
10 |
authpriv |
Security/authentication messages |
|
11 |
ftp |
FTP daemon |
|
12 |
ntp |
NTP subsystem |
|
13 |
security |
Log audit |
|
14 |
console |
Log alert |
|
15 |
solaris-cron |
Scheduling daemon |
|
16-23 |
local0-local7 |
Locally used facilities |
Reference
Related Articles
- 2FA on User Accounts
- Accepting a Risk
- Account
- Agent Assessment
- Agent Call Home
- Agent Installation Introduction
- Agent Introduction
- Agent Latest Version
- API Examples
- Asset Discovery
- Assets
- Authenticated Network Scan
- Automatic Asset Joining With Netsec
- Basic Credentials
- Certificates
- Change Instance Type on HIAB on Amazon Web Services
- Check Connectivity to Agent Server
- Checking if Agent is Running
- Checking if the Agent has Produced Results
- Column Configuration
- Common Settings Panel
- Configuring and Accessing the HIAB console using SSH
- Container Inspection - Azure
- Converting Normal with Webapp Scans (Netsec) to Portal Workflows
- CyberArk Integration
- Delinea Integration
- Delta
- Discovering the Agent in OUTSCAN
- Discovery Scan Configuration
- Discussions and Commenting
- DNS Lookup in UI and in Console
- Download Agents
- Event Notification - Integration
- Event Notification - Use Cases
- Filters
- Finding the Agent Version
- Firewall Rules
- Firewall Setup for Agents
- General Information about SMB/WinRM Scanning
- Generate Reports
- Getting Started with the Portal
- Hardening the HIAB
- HIAB Backup
- HIAB Console
- HIAB Deployment Guide
- HIAB Distribution Settings
- HIAB E-mail Whitelisting
- HIAB Enrollment
- HIAB Maintenance Settings
- HIAB Remote SSH Guide
- HIAB Remote Support
- HIAB Restore
- HIAB Server Settings
- HIAB Setup Guide
- HIAB Updates
- Identity and Access Management (IAM)
- Importing Tags for AWS Discovery
- Installing a Linux Agent
- Installing a macOS Agent
- Installing a Windows Agent
- Integration Management
- Integrations
- Licensing Consumption
- Log In Using LDAP
- Log In Using Single Sign-On (SSO)
- Logging in to the Portal
- Managing Agents
- Managing Tags
- Marking as False Positives
- Network Discovery
- Network Host Assessment
- Notification Settings
- Notifications
- Object Identifiers
- PGP on User Accounts
- Portal Icon List
- Portal Integration with ServiceNow Incidents
- Ports
- Products
- Products Database
- Read Agent Scan Result
- Removing an Agent from Linux
- Removing an Agent from Windows
- Report Library
- Reports
- Resource Group Management
- REST API Interface Technical Document
- Retrieving a REST API Token From XMLAPI
- Retrieving Results From the Agent in OUTSCAN
- Retrieving the Agent UUID
- Role Management
- Scan Assessment Configuration
- Scan Blueprint
- Scan Configuration Settings
- Scan Credentials
- Scan Policies
- Scan Scheduling Errors
- Scan Stages
- Scanning Range
- Scans View
- Scheduled Reports
- Schedules
- Services
- Setting Up an Agent Using System Proxy
- SMB Credentials
- SNMP Integration
- Solutions
- SSH Credentials
- Subscriptions Overview
- Supported Browsers
- Syslog Integration
- Tags
- Technical Specification
- Troubleshooting checklists
- Understanding Scanner and Scheduler
- Updating the Agent
- User Management
- Using the Agent Info Command
- View Templates
- Virtual HIAB Appliance
- VMware vSphere Credentials
- Vulnerabilities
- Vulnerability Database
- Webhook Integration
- Webhook Integration with JIRA
- Webhook Integration with Microsoft Teams
- Webhook Integration with OAuth v2
- Workflows
- XML API Interface Technical Document