In order to consume syslog messages, there are several options. First, you have to choose how to send the syslog messages:
- Use the LogSentinel Collector which transforms the syslog messages and forwards them to LogSentinel SIEM. This allows network appliances that don't support any encryption to not send messages plaintext messages over the internet. This is the preferred way of integration
- Send messages directly to LogSentinel SIEM and skip the collector in two ways:
- By setting Syslog host in the data source configuration (in the General tab) to match the host syslog header
- By setting syslog identification param and value which should match extracted parameters (e.g. name=accountId, value=
- By using the per-source syslog ID. Syslog IDs can be obtained from the API credentials page.
Formats and protocols¶
Syslog exists in many variations and forms:
- We support syslog over TCP (plaintext and over TLS) as well as over UDP
- We support both RFC 3164 and RFC 5424. In addition to that, we support SonicWall extended syslog messages
- We support the CEF and LEEF standard formats
Below is a list of endpoints and ports for each supported variant. We recommend TCP over TLS for most installations. However, some setups lack the needed flexibility, so fallback to plaintext TCP or UDP may be needed. In such cases there's an option for a VPN tunnel (for enterprise customers), or a more complicated internal setup with an intermediate syslog forwarder.
LogSentinel Collector endpoints¶
The LogSentinel SIEM collector receives syslog messages on port 2514 (TCP) and 2515 (UDP). It is configured using yaml or via the UI:
syslog: hostToDataSourceId: "127.0.0.1": ba2f0680-5424-11e8-b88d-6f2c1b6625e8 queueSize: 20
hostToDataSourceId map you can map source IPs to data source IDs in the SIEM.
LogSentinel SIEM syslog endpoints¶
Note: this is not a recommended approach. If possible, prefer running a collector.
- syslog.logsentinel.com:514 - plaintext TCP
- syslog.logsentinel.com:515 - TCP over TLS
- syslogudp.logsentinel.com:1516 - plaintext UDP
We have a syslog configuration script for Linux which you can download and run configure-syslog.sh. It configures a syslog template that allows authenticating against LogSentinel SIEM. The important line for authentication is this:
\$template LogSentinelFormat,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [logsentinel@$LOGSENTINEL_DISTRIBUTION_ID organizationId=\\\"$LOGSENTINEL_ORG_ID\\\" secret=\\\"$LOGSENTINEL_ORG_SECRET\\\" applicationId=\\\"$LOGSENTINEL_APP_ID\\\" tag=\\\"RsyslogTLS\\\"] %msg%\n\"
In order to integrate SentinelOne:
- enable syslog integration from the SentinelOne console
- specify the host and port above (syslog.logsentinel.com:515)
- enable TLS
- download the DER certificate and upload it as a server certificate
- specify CEF 2 format
- get your SentinelOne account ID (query for
In LogSentinel SIEM:
- create a data source
- set the syslog identification param name to "accountId" and syslog identification param value to the accountId you obtained in the last step below