In order to consume syslog messages, there are several options. First, you have to choose how to send the syslog messages:
- Use the LogSentinel Collector which transforms the syslog messages and forwards them to LogSentinel SIEM. This allows network appliances that don't support any encryption to not send messages plaintext messages over the internet. This is the preferred way of integration
- Send messages directly to LogSentinel SIEM by using the per-source syslog ID - you can skip the collector and send messages directly to LogSentinel SIEM. Syslog IDs can be obtained from the API credentials page.
Formats and protocols¶
Syslog exists in many variations and forms:
- We support syslog over TCP (plaintext and over TLS) as well as over UDP.
- We support both RFC 3164 and RFC 5424. In addition to that, we support SonicWall extended syslog messages
- We support the CEF and LEEF standard formats
Below is a list of endpoints and ports for each supported variant. We recommend TCP over TLS for most installations. However, some setups lack the needed flexibility, so fallback to plaintext TCP or UDP may be needed. In such cases there's an option for a VPN tunnel (for enterprise customers), or a more complicated internal setup with a intermediate syslog forwarder.
LogSentinel Collector endpoints¶
The LogSentinel SIEM collector receives syslog messages on port 2514 (TCP) and 2515 (UDP). It is configured using yaml or via the UI:
syslog: hostToDataSourceId: "127.0.0.1": ba2f0680-5424-11e8-b88d-6f2c1b6625e8 queueSize: 20
hostToDataSourceId map you can map source IPs to data source IDs in the SIEM.
LogSentinel SIEM syslog endpoints¶
Note: this is not a recommended approach. If possible, prefer running a collector.
- syslog.logsentinel.com:514 - plaintext TCP
- syslog.logsentinel.com:515 - TCP over TLS
- syslogudp.logsentinel.com:1516 - plaintext UDP
We have a syslog configuration script for Linux which you can download and run configure-syslog.sh. It configures a syslog template that allows authenticating against LogSentinel Trails. The important line for authentication is this:
\$template LogSentinelFormat,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [logsentinel@$LOGSENTINEL_DISTRIBUTION_ID organizationId=\\\"$LOGSENTINEL_ORG_ID\\\" secret=\\\"$LOGSENTINEL_ORG_SECRET\\\" applicationId=\\\"$LOGSENTINEL_APP_ID\\\" tag=\\\"RsyslogTLS\\\"] %msg%\n\"