In order to consume syslog messages, there are several options. First, you have to choose how to send the syslog messages:
- Use the LogSentinel Collector which transforms the syslog messages and forwards them to LogSentinel SIEM. This allows network appliances that don't support any encryption to not send messages plaintext messages over the internet. This is the preferred way of integration
- Send messages directly to LogSentinel SIEM and skip the collector in three ways:
- By setting Syslog host in the data source configuration (in the General tab) to match the host syslog header
- By setting syslog identification param and value which should match extracted parameters (e.g. name=accountId, value=
- By using the per-source syslog ID. Syslog IDs can be obtained from the API credentials page.
Formats and protocols¶
Syslog exists in many variations and forms:
- We support syslog over TCP (plaintext and over TLS) as well as over UDP
- We support both RFC 3164 and RFC 5424. In addition to that, we support SonicWall extended syslog messages
- We support the CEF and LEEF standard formats
Below is a list of endpoints and ports for each supported variant. We recommend TCP over TLS for most installations. However, some setups lack the needed flexibility, so fallback to plaintext TCP or UDP may be needed. In such cases there's an option for a VPN tunnel (for enterprise customers), or a more complicated internal setup with an intermediate syslog forwarder.
LogSentinel Collector endpoints¶
The LogSentinel SIEM collector receives syslog messages on port 2514 (TCP), 2515 (TCP for RFC 6587) and 2516 (UDP). By default it automatically creates sources when it receives syslog messages.
It can also be configured using yaml or via the UI:
syslog: sourceConfigurations: - host: <sender-ip> - dataSourceId: ba2f0680-5424-11e8-b88d-6f2c1b6625e8
LogSentinel SIEM syslog endpoints¶
If for some reason you can't run an on-premise collector or you need cloud-to-cloud log collection, you can directly send syslog messages to the LogSentinel SIEM server:
- syslog.logsentinel.com:514 - plaintext TCP
- syslog.logsentinel.com:515 - TCP over TLS
- syslogudp.logsentinel.com:1516 - plaintext UDP
We have a syslog configuration script for Linux which you can download and run configure-syslog.sh. It configures a syslog template that allows authenticating against LogSentinel SIEM. The important line for authentication is this:
\$template LogSentinelFormat,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [logsentinel@$LOGSENTINEL_DISTRIBUTION_ID organizationId=\\\"$LOGSENTINEL_ORG_ID\\\" secret=\\\"$LOGSENTINEL_ORG_SECRET\\\" applicationId=\\\"$LOGSENTINEL_APP_ID\\\" tag=\\\"RsyslogTLS\\\"] %msg%\n\"
Vendor-specific syslog and CEF forwarding¶
You can configure any appliance and tool that supports syslog in any format and variation (RFC 3164, RFC 5424; CEF, LEEF). Below is a non-exhaustive list of instructions for some products: