Syslog

Syslog is a standard log transport mechanism that enables aggregating log data from different sources into a central repository for archiving and forensics. Security Information and Event Management (SIEM) tools gather information about security alerts generated by security hardware and software solutions like Traceable. Syslog centralizes this data and generates reports to help you monitor activity, perform log audits, and respond to incidents.

Traceable AI integrates with your SIEM tools by sending event logs in Syslog format. Traceable can forward every type of threat activity and event it generates to an external syslog server. Once Traceable pushes the event logs to your Syslog server, you can consume them in a way that suits your requirements. Traceable supports both RFC 5424 and its predecessor RFC 3164 Syslog protocols.

Integrating and configuring Syslog consists of three steps:

1. Configuring syslog server details in Traceable.

2. Creating a channel.

3. Setting up notifications.

Before you begin

Make a note of the following before proceeding with the integration:

• Identify the kind of Syslog server or syslog daemon your organization is using.

• Make a note of the host and port number of your Syslog server.

• The communication between Traceable and the Syslog server is over TCP with SSL.

Configuration

To integrate the Syslog server with Traceable, navigate to Integrations → SIEM/SOAR. Click on the Syslog server card and fill in the following details:

• Integration name - Provide an integration name.

• Description (optional) - Provide a description for integration.

• Host and Port - Configure the server host address and the port number. These are mandatory fields.

• Credentials (optional)

  • Account Token Details (optional) - The account token details are composed of Account ID and PEN (Private Enterprise Number).

  • Server CA Certificate (optional) - You can configure the server CA certificate independently of account token details. This is the server CA certificate details of your Syslog server.

Following is a high-level list of information sent to the Syslog server by Traceable:

• Hostname - Hostname is sent as traceable-<tenantID>.

• App name - The application name is sent as traceable-<environment>-env. For example, if your environment is production, then the name would be traceable-production-env.

• Priority - The Syslog protocol expects a priority to be set for the log message, which is composed of two elements, namely, Severity and Facility. Traceable sets ALERT Facility and ALERT Severity for threat activities. Traceable sets INFORMATION Severity and AUDIT Facility for all other notifications, like configurations.

Create a channel and set up notifications

Once you complete the configuration, you need to set up a channel and set up a notification for the logs to be sent to your Syslog server.

Navigate to Administration → Configuration → Notifications. Click on + Create Channel and follow the steps in the Notifications topic to create a channel and set up notifications. Make sure to enable the Syslog server option when you create the channel.

Create a notification after you have created the channel for the Syslog server. The steps to create a notification are mentioned in the Notifications topic.