Skip to content

Syslog Integration

LogSentinel can also combine information about the vulnerabilities of an asset when integrated with a "Vulnerability Management" solution.

In order to consume syslog messages, there are several options. First, you have to choose how to send the syslog messages:

  • Use the LogSentinel Collector which transforms the syslog messages and forwards them to LogSentinel SIEM. This allows network appliances that don't support any encryption to not send messages plaintext messages over the internet. This is the preferred way of integration
  • Send messages directly to LogSentinel SIEM and skip the collector in three ways:
    • By setting Syslog host in the data source configuration (in the General tab) to match the host syslog header
    • By setting syslog identification param and value which should match extracted parameters (e.g. name=accountId, value=)
    • By using the per-source syslog ID. Syslog IDs can be obtained from the API credentials page.

Formats and protocols

Syslog exists in many variations and forms:

  • We support syslog over TCP (plaintext and over TLS) as well as over UDP
  • We support both RFC 3164 and RFC 5424. In addition to that, we support SonicWall extended syslog messages
  • We support the CEF and LEEF standard formats

Below is a list of endpoints and ports for each supported variant. We recommend TCP over TLS for most installations. However, some setups lack the needed flexibility, so fallback to plaintext TCP or UDP may be needed. In such cases there's an option for a VPN tunnel (for enterprise customers), or a more complicated internal setup with an intermediate syslog forwarder.

LogSentinel Collector endpoints

The LogSentinel SIEM collector receives syslog messages on port 2514 (TCP), 2515 (TCP for RFC 6587) and 2516 (UDP). By default it automatically creates sources when it receives syslog messages.

It can also be configured using yaml or via the UI:

    - host: <sender-ip>
    - dataSourceId: ba2f0680-5424-11e8-b88d-6f2c1b6625e8

LogSentinel SIEM syslog endpoints

If for some reason you can't run an on-premise collector or you need cloud-to-cloud log collection, you can directly send syslog messages to the LogSentinel SIEM server:

  • - plaintext TCP
  • - TCP over TLS
  • - plaintext UDP

If TLS is used, a server certificate may be requested during configuration. You can download the certificates from here: DER certificate, PEM certificate

Syslog forwarding

We have a syslog configuration script for Linux which you can download and run It configures a syslog template that allows authenticating against LogSentinel SIEM. The important line for authentication is this:

\$template LogSentinelFormat,\"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [logsentinel@$LOGSENTINEL_DISTRIBUTION_ID organizationId=\\\"$LOGSENTINEL_ORG_ID\\\" secret=\\\"$LOGSENTINEL_ORG_SECRET\\\" applicationId=\\\"$LOGSENTINEL_APP_ID\\\" tag=\\\"RsyslogTLS\\\"] %msg%\n\"

Vendor-specific syslog and CEF forwarding

You can configure any appliance and tool that supports syslog in any format and variation (RFC 3164, RFC 5424; CEF, LEEF). Below is a non-exhaustive list of instructions for some products: