Knowledge Base – SGBox Next Generation SIEM & SOAR

Syslog configuration on Cynet

Vardo — Wed, 28 Jan 2026 08:40:50 +0000

Cynet – SGBox SIEM Integration Guide

Configure Cynet to send syslog notifications to a remote Syslog.

On your Cynet web interface, go to Setting > Advanced.
Select the box beside Send Audit Records to SIEM.
Go to Configuration > SIEM settings and enable the following configuration:

– TCP
– IP – public IP address of your syslog server
– Port – port that is configured on your syslog server. We use 6514 tcp.
Press Add. The added IP and port will appear on the screen.

NOTE: These instructions are based on official guide provided by the vendor. but for let work the integration with SGBox ensure that the configuration matches what is specified below

– Communication protocols is TCP
– Port is 6514
– Public IP address of your syslog server is correct one.

For further SGBox support requests, please open a ticket on the ticket portal.

Troubleshooting on Collector 6

Vardo — Mon, 26 Jan 2026 11:43:50 +0000

Table of Contents

Troubleshooting on Collector 6

In this guide, we show you how to perform debugging: to quickly check if the collector has all the main processes active for correct communication with the Host or SGBox appliance.

Docker and containers

Collector 6 introduces the use of docker and containers, to activate them correctly, it is necessary do port forwarding on the firewall. For more details, see: SGBox and Collector network requirements

after opening the Internet connection to our public registry address. You can debug using the CLI tool: to verify that the collector has correctly activated all key containers.

Connect to the Collector appliance via SSH (using Putty,Terminal or console), specifying the user CLI and the password you saved for it.
Go under System > Process Handling > Services status > SGBox Containers
Check if there are 4 active containers. See the image below for an example showing active containers.

Containers are Active: this means that your Collector is ready to be used.
Containers are not Active: this means that something went wrong during network configuration or port opening. We suggest following the Network debugging guide.

Network debugging

You can perform network debugging using the CLI tool.
Connect to the Collector appliance via SSH (using Putty,Terminal or console), specifying the user CLI and the password you saved for it.
Go under Network Configuration > Connect to port

For example, let’s check if Collector reaches our registry. You can specify IPv4 or FQDN and Port.

The result may be Server is Responding or Cannot connect to the server.

If the result is Cannot connect to the server, we recommend checking that the firewall managing the network is not blocking communication. For more details, see: SGBox and Collector network requirements or provide the results obtained from debugging to SGBox Support for further assistance.

Dump network traffic

You can use the CLI tool to check if there are any problems with receiving data from the Hosts.
Connect to the Collector appliance via SSH (using Putty,Terminal or console), specifying the user CLI and the password you saved for it.
Go under Stats > Dump network traffic

Filter by IP: simple filter on data source IP all ports and protocols
Filter SGBox ports: simple filter on ports 514 and 443 from all the data source
Expert: you can enter all the tcpdump parameters.

For example, let’s use the Filter by IP option to check if the collector receives the log from the Host.

If the host sends logs to the collector, then you should see traffic passing through, as in the example above.
If you do not see any traffic passing through, double-check that you have correctly configured the source to send logs, or check that there are no firewall blocks between the source and the collector.

6.2.5

SGBox — Wed, 21 Jan 2026 15:45:33 +0000

6.2.5

A new version of SGBox that improve a lot of backend features and performance has been released

SGBOX > SCM > Applications > SGBox Updates

SCM: different dashboards can now be opened simultaneously in tabs
LM: CSV export added in query builder page and class/pattern analysis detail view
LM: Syslog now supports log forwarding. Syslog forwarding can be enabled via an on-demand application
NVS: PDF reports now list also "not alive" hosts
Various fixes

6.2.3

SGBox — Wed, 21 Jan 2026 15:37:32 +0000

6.2.3

A new version of SGBox that improve a lot of backend features and performance has been released

SGBOX > SCM > Applications > SGBox Updates

6.2.4

SGBox — Wed, 21 Jan 2026 14:50:24 +0000

6.2.4

A new version of SGBox that improve a lot of backend features and performance has been released

SGBOX > SCM > Applications > SGBox Updates

Network debugging

Vardo — Thu, 15 Jan 2026 13:33:24 +0000

In this guide, we show you how to perform network debugging: to quickly check that a port on a server is reachable from SGBox.

You can perform network debugging using the SGBox CLI tool.
Connect via SSH (using a programme such as Putty or a virtualisation console) to SGBox, specifying the user CLI and the password you saved for it.

Go under Network Configuration > Connect to port

For example, let’s check if SGBox reaches Active Directory server on port 389 (LDAP) or 636 (LDAPS).

You can specify IPv4 or Hostname and port.

The result may be Server is Responding or Cannot connect to the server.

If the result is Cannot connect to the server, we recommend checking that the firewall managing the network is not blocking communication or checking that the Host port is actually open.

For more details on which ports are used by SGBox, please read the Network Requirements guide.

Syslog configuration on Sophos Firewall

SGBox — Mon, 12 Jan 2026 16:49:30 +0000

Introduction

to be able to receive logs from Sophos appliance, the syslog must be configured.

Example configuration

NOTE: this is only an example configuration, the options may change due to different version or changed options.

Connect to your Sophos firewall system. Choose System services > Log settings and click Add.

Enter a name
Specify settings
Click on Save
Go to Log settings and select the logs you want to send to the syslog server.

From SGBox WebUI downlaod Sophos Firewall Package: SCM > Application > Pacakges

Associate Collector to Tenant

SGBox — Fri, 28 Nov 2025 10:47:22 +0000

Associate Collector to Tenant

This operation is needed in order to forward logs to the correct SGBox tenant. It could be done in two ways:

from the collector with option “Register collector” (https://www.sgbox.eu/en/knowledge-base/the-sgbox-collector-v6/#Register_the_collector). You need insert the “key probe for connection” you choosed when tenant was created (in our example https://www.sgbox.eu/en/knowledge-base/create-new-tenant/ is Key1234)
On SGBox by manually associate the collector to the right tenant. From SCM > Multitenant > Manager > Probes. Once identified your probes, select from drop down menu the correct tenant

Starting from version 6.2.2, new installations need a collector configured.
If your installation has just one tenant you can avoid deploy the collector VM and use the preconfigured collector: sgboxprobeid

Identify and assign it to the correct tenant.

Alarm & Incident Management

SGBox — Tue, 21 Oct 2025 12:01:53 +0000

Click to open the Alarm & Incident Management User Guide

6.2.2

SGBox — Wed, 15 Oct 2025 13:28:19 +0000

6.2.2

A new version of SGBox that improve a lot of backend features and performance has been released

SGBOX > SCM > Applications > SGBox Updates

LM/PB: logs mapping and JSON logs PB node adapted for Google logs integration
LCE: enabled fixed data passing to the call API action
UX improvements on filters, sorting, actions
NVS: all types of report can be received for scheduled scans
NVS: vulnerability scans can now be launched on an entire network
Various fixes