Syslog tab

The Syslog tab allows you to specify a SIEM appliance and/or syslog server where the system events can be sent. These notifications can be configured with various options, such as the frequency of notifications, maximum amount of notifications in a day, and the types of alerts that trigger the notifications.

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Click the plus icon to add a notification.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 20 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

The Syslog notifications list contains the following:

Appliance

The appliance or sensor that triggers the notifications.

Click edit to edit the notification.

Click delete to delete the notification. Click the Delete button in the Delete confirmation pop-up.

Click unread to view a summary of the notification configuration. The summary is displayed in a pop-up. Click the Send test notification button to send a test. Click the Edit button to edit the notification configuration. Click cancel/close or the Close button to dismiss the pop-up.

Click heartbeat/test to send a test notification. The icon will be grayed out if the notification is disabled.

Max daily notifications

The maximum number of notifications to send within a 24 hour period.

Server

The IP address of the syslog/SIEM server.

Port

The port the syslog/SIEM server is listening on.

Host name

The host name of the syslog/SIEM server.

Protocol

The transport protocol is either TCP or UDP.

Source

Indicates the source of the SIEM logs, either Manager or Sensor.

This column only appears on an On-Premises User Portal.

Log format

Indicates the data format of the SIEM logs, either CEF or LEEF.

Include PCAP

Indicates if PCAP data will be included in

Enabled

Shows True if the notification is enabled, False otherwise. Click power to toggle the enable/disable status of the notification.

Create syslog notification page

On the Create Syslog Notification page, fill in the following:

Appliance

The appliance or sensor that triggers the notifications. Select from the License pull-down menu:

  • All licenses Automatically selects all sensors.

  • All sensors Use the Sensor pull-down menu to select any specific sensor from any license.

  • Specific license Use the Sensor pull-down menu to select All sensors for that license or any specific sensor.

Daily limit

Select the maximum number of notifications to send within a 24 hour period. 0 (zero) means unlimited.

Timezone

Select the timezone within which daily limits are computed. By default, the current system timezone is selected.

Enable/disable notification

Click the Enabled button to toggle whether the notification will be enabled upon being saved. Notifications can be enabled or disabled at any time.

SIEM server settings

SIEM Server

Location is the hostname/IP address of the SIEM appliance that the SIEM messages will be sent to. If the SIEM source is a Sensor, this is the address for a SIEM appliance accessible by the Sensor. Otherwise it is an appliance accessible by the Manager.

Port is the port on which the manager/sensor will send SIEM syslog messages for the associated appliance.

SIEM Hostname

The hostname that will show up in the prefix of the syslog message in the format timestamp {SIEM Hostname} siem_message. In the following example, the SIEM Hostname is dallas_ll_sensor:

20:47:12 CDTSep 04 02:13:16 dallas_ll_sensor CEF:0|Lastline|Defender|9.1|test-event|User triggered test event|1|cn1=10 cn1Label=impact cn2=44 cn2Label=notification_config_id devTime=Sep 03 2019 21:13:16 CDT devTimeFormat=MMM dd yyyy HH:mm:ss z externalId=4fac11b7611643e094ae910d155a0f8e
Transport protocol

Select either TCP or UDP.

SIEM source

The source of the SIEM logs in your network. Select either Manager or Sensor.

  • Selecting Manager allows you to centralize your log source at the Manager.

  • Selecting Sensor allows you to distribute the log source across your network to the Sensor that generated the alert.

This pull-down menu only appears on an On-Premises User Portal. For Hosted customers, the source of the SIEM logs is always a Sensor.

SIEM log format

The format in which the SIEM logs are sent to the appliance. Select either CEF or LEEF.

Include pcap

If Enabled, PCAP information will be included with the notification for network events. Pcap information can only be included when the log format is LEEF.

Triggers

Select the appropriate triggers for the notification. For more information, see About notification triggers. Also see Sensor group notifications for some caveats about notifications and sensor groups.

Appliance triggers

By default, Appliance triggers are set to Enabled.

Audit triggers

By default, Audit triggers are set to Disabled.

Network triggers

By default, Network triggers are set to Enabled.

Campaign triggers

By default, Campaign triggers are set to Disabled.

Mail triggers

By default, Mail triggers are set to Enabled.

Network IoC triggers

By default, Network IoC triggers are set to Enabled.

Intelligence triggers

By default, Intelligence triggers are set to Disabled. These triggers are only available when All licenses is selected.

Proxy sensor

For a Hosted installation, Audit and Intelligence events occur on the VMware backend. A proxy device is required to relay notifications when these triggers are Enabled. The Proxy sensor setting allows you to select one of your sensors to relay the notifications.

Select a License from the pull-down menu. Select All licenses or a specific license.

Select a Sensor from the pull-down menu.

Once the notification is properly configured, click the Save button to apply the changes. The Syslog notification configuration summary pop-up is displayed. When you close it, the Syslog notifications list is displayed.