CEF Syslog Feedback

The broker component can be configured to send a CEF syslog summary string to any endpoint via TCP or UDP.

The CEF syslog feedback is generated and sent to the configured endpoint when the main transform task and all its subtasks are in a final processing state.

To modify the syslog feedback configuration:

Step #1 - Open /home/sandbox/sandbox/broker.cfg in a text editor

Step #2 - Add or modify the following properties (no need to overwrite default values):

############################## # CEF Syslog Feedback settings ############################## cefSyslogEnabled=false cefSyslogHost= cefSyslogPort=514 cefSyslogProtocol=tcp cefSyslogTimeoutMs=10000 cefSyslogUseSSL=false

Step #3 - Save the file and restart the sandbox service

Property details

Property Name

Default Value

Description

cefSyslogEnabled

false

Main switch to enable / disable CEF syslog feedback

cefSyslogHost


Host name or IP address of the log server

cefSyslogPort

514

Port of the log server

cefSyslogProtocol

tcp

Connection protocol to use: tcp or udp

cefSyslogTimeoutMs

10 seconds

Connection timeout used for TCP sockets

cefSyslogUseSSL

false

Switch to enable / disable SSL verification for TCP sockets

Example CEF syslog string:

CEF:0|OPSWAT Inc.|broker|1.1.0-1e895e7|transform-file| c378387344e0a552dc065de6bfa607fd26e0b5c569751c79fbf9c6f2e9 1c98079| cn1=1c281ba2-d4cd-4811-9ccc-fbf941c517b0 cn1Label=Task ID cn2=c378387344e0a552dc065de6bfa607fd26e0b5c569751c79fbf9c6f2e91c9807 cn2Label=SHA256 cn3=application/vnd.ms-word.document.macroenabled.12 cn3Label=Media Type cn4=2022-04-96 02:20+020096 cn4Label=Date cn5=antivm,macros,macros-on-open,obfuscated,powershell,docx cn5Label=All Tags cn6=EMU000,V004,S010,EMU006,S000,SIGG001,S041,V001,V000,Y000,S040 cn6Label=All Signal Group IDs