3.10. Syslog Forwarding
Hint
This chapter is optional
To configure Syslog Forwarding of logs, you can set the --syslog
flag
during scans. You have multiple options as to where you can send the logs.
The --syslog
value is constructed of the following arguments. Please
keep in mind that the fields need to be in the correct order. Values are
separated with the colon sign :
Pos. |
Field |
Description |
Possible Values |
---|---|---|---|
1 |
Server |
The receiving server, |
FQDN or IP of remote host |
2 |
Port |
optional - the listening port on the remote system, default is |
1 - 65535 |
3 |
Format |
optional - the log format, default is |
- DEFAULT [1] - CEF - JSON - SYSLOGJSON - SYSLOGKV |
4 |
Socket |
optional - The socket type, default is |
- UDP - TCP - TCPTLS |
Hint
The syslog listener on the Management Center is running on port UDP/514.
Examples:
cribl.local:6514
172.16.20.10:514:SYSLOGKV:TCP
rsyslog-forwarder.dom.int:514:JSON:TCP
arcsight.dom.int:514:CEF:UDP
If you choose to use the --syslog
flag, please make sure that the
necessary ports are allowed within your network/firewall. If you decide
to forward your logs via ASGARD to a SIEM, please have a look at
Rsyslog Forwarding.
Note
If Syslog Forwarding is selected for a new THOR Scan, the default
target will be set to %asgard-host%
, which is your Management
Center. Syslog Forwarding is optional and you do not lose any
functionality if you are not using it (in most cases). If you
want to forward logs in real-time from your Management Center to
a SIEM (for example), you do however have to enable Syslog Forwarding.
Please see Rsyslog Forwarding for more information