Proteggiamo il tuo ambiente digitale da qualsiasi attacco informatico. Sfrutta tutte le potenzialità della piattaforma SGBox!

Gallery

Contatti

Via Melchiorre Gioia, 168 - 20125 Milano

info@sgbox.it

+39 02 60830172

Search another article?

Syslog forwarding from sgbox to another server

You are here:
< Back

Syslog forwarding from sgbox to another server

This article explain how to forward logs/events received from SGBox to another server using syslog protocol.
First off all you need to download the “SGBox syslog forwarder” application or ask support via ticket to unlock it.
Remember that this application reads data from internal repository and forwards log, events or incidents to an external syslog server.

From SCM > Application > Tools click install on SGBox syslog forwarder application.

Syslog forwarding from sgbox to another server

Launch the application and configure it

Syslog forwarding from sgbox to another server

 

IP AddressOnly IP addresses are allowed in the “Remote syslog server address”
Class IDThe field Class ID allows to specify one or more classes to retrieve logs and events from. User can specify a class by specifying its class id (LM->Configuration->Class, the # column). Comma separated class IDs are allowed to identify more hosts and events that should be forwarded. As an alternative, user can create a single new class containing all the hosts/events that should be forwarded; this solution is less readable, but allowed
ProtocolProtocol can be TCP or UDP. Use TCP if possible, since it is more a reliable protocol
PortDestination Port
Send RAW data from hosts in this classes corresponding to the selected eventstells SGBox to forward just the logs used to generate an event (i.e. in a “logon” class, only the raw data that represents a logon will be forwarded).
Send all RAW data from hosts in this classestells SGBox to forward all the logs from the hosts that belong to the selected class (more verbose)
Send events (JSON format)tells SGBox to forward only the events that were generated by the events extraction system. Incidents (events that were generated by correlation rules) can be forwarded as well and you need to specify the classes they are bound to, in the Class ID field (again, in LM->Configuration->Class)

 

Additional information:

  • Data is sent by using rfc5424.
  • Raw data and events are sent with the same origin and timestamp as the original raw log and event.
  • Raw data is sent in plain text
  • Events are sent in json format