unix – SGBox Next Generation SIEM & SOAR

Syslog configuration on Sentinel

SGBox — Fri, 07 Feb 2025 14:49:56 +0000

Configure Sentinel to send logs to SGBox

Open the SentinelOne Admin Console. Configure SentinelOne to send logs to your Syslog server.

Select your site.
In the left side menu, click the slider icon [⊶] to open the Settings menu.
Open the INTEGRATIONS tab, and fill in the details: ( 3.1 ): Under Types, select SYSLOG ( 3.2 ): Toggle the button to enable SYSLOG: ( 3.3 ): Host – Enter your public SYSLOG server IP address and port. ( 3.4 ): Formatting – Select CEF. ( 3.5 ): Save your changes.

If TLS is selected you will need to upload certificates.

Syslog configuration on ForcePoint

SGBox — Fri, 07 Feb 2025 09:21:07 +0000

ForcePoint

To send logs to SGBox:

Toggle the Enable SIEM logging switch to ON.

Enter the IP address or hostname and communication Port for your SGbox server.
Select a Transport protocol (TCP or UDP).
Configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded.
Select an SIEM format to use (the default is syslog/CEF).
Click Apply to save your changes.

For further information visit this link: https://www.websense.com/content/support/library/riskvision/v21/system_mgmt/system_logging.aspx

Apache HTTP Server

SGBox — Tue, 30 Mar 2021 11:16:40 +0000

How to forward Apache web server logs to SGBox

This article explains how to forward logs from Apache web server installed in Linux & Windows systems to SGBox and all the related information.

Linux systems

In the Linux, go In syslog path /etc/ryslog.d/ and Add a file with name like 60-ApacheLogs.conf

In this example, to read the Apache access.log file, insert the following script into the file 60-ApacheLogs.conf.

$ModLoad imfile #Load the imfile input module
$InputFilePollInterval 2
$InputFileName /var/log/apache2/access.log
$InputFileTag file-access:
$InputFileStateFile stat-file-access
$InputFileSeverity Info
$InputRunFileMonitor
$template file_log, " %msg% "

if $programname == 'file-access' then @SGBox-IP:514;file_log
if $programname == 'file-access' then stop

Restart rsyslog daemon to load the new configuration and start to send logs.

service rsyslog restart

This configuration will read the file of Apache access.log and send it via syslog protocol on port 514 UDP to the SGBox-IP .

Windows systems

You can follow the link of article reported below in order to setup your SGAgent installed on apache server too retrieve all the related information, check Capture Logs from File/Folders (TailFolder method) section.

Check the Apache logs in SGBox

To verify that SGBox is correctly handling the raw logs sent by the Apache server, use Historical Search. Once you have verified the raw logs in SGBox, we recommend installing the Apache2 HTTP Server package to allow SGBox to analyze the raw logs received and show you events on the analysis pages.

Syslog configuration on Bitdefender GravityZone

SGBox — Fri, 28 Jun 2019 14:37:11 +0000

How to configurate Syslog on Bitdefender GravityZone

This guide provides instructions to configure Bitdefender GravityZone to forward Bitdefender GravityZone
logs via syslog. The configurations detailed in this guide are consistent with Bitdefender GravityZone (on-prem) v6.5 to 7.0.

Requirements:

Admin access to Bitdefender GravityZone (on-prem) console. If you have cloud console you need to follow this guide.

Note: Bitdefender GravityZone supports the syslog option from v6.50 to 7.0.

Following are the steps to configure Bitdefender Gravityzone ( On-premises) to send logs to SGBox.

Log in to GravityZone Control center.
Click on Configuration > Miscellaneous.
Put the flag on Enable Syslog and write the IP of your SGBox.
Enter SGBox port (514) and select protocol UDP.

Click on configuration button ( the rowel ) in the top-right corner

Define the events you want send to SGBox

After data source appears in SGBox you need to install following package from SCM > Application > Pacakges: