Title
Create new category
Edit page index title
Edit category
Edit link
CEF Syslog Feedback
The broker component can be configured to send a CEF syslog summary string to any endpoint via TCP or UDP.
The CEF syslog feedback is generated and sent to the configured endpoint when the main transform task and all its subtasks are in a final processing state.
To modify the syslog feedback configuration:
Step #1 - Open /home/sandbox/sandbox/broker.cfg in a text editor
Step #2 - Add or modify the following properties (no need to overwrite default values):
Step #3 - Save the file and restart the sandbox service
Property details
Property Name | Default Value | Description |
|---|---|---|
cefSyslogEnabled | false | Main switch to enable / disable CEF syslog feedback |
cefSyslogHost | Host name or IP address of the log server | |
cefSyslogPort | 514 | Port of the log server |
cefSyslogProtocol | tcp | Connection protocol to use: tcp or udp |
cefSyslogTimeoutMs | 10 seconds | Connection timeout used for TCP sockets |
cefSyslogUseSSL | false | Switch to enable / disable SSL verification for TCP sockets |
syslogHeaderPrivalFacility | 16 | Facility value used in the syslog header |
syslogHeaderPrivalSeverity | 6 | Severity value used in the syslog header |
syslogHeaderHost | The hostname value is used in the syslog header. If not configured, the application will try to detect and use the local hostname. |
Since the broker is running in a dockerized environment, the detected hostname might not be useful, therefore it is possible to set a user defined hostname which will be used in the syslog header.
Example CEF syslog message:
Scan verdict and CEF severity mapping
Scan verdict | CEF severity |
|---|---|
BENIGN | 0 |
NO_THREAT | 1 |
SUSPICIOUS | 3 |
LIKELY_MALICIOUS | 6 |
MALICIOUS | 9 |
UNKNOWN | 0 |
Test syslog integration
The syslog integration can be tested with the help of a commonly used syslog server like syslog-ng. You can find an example syslog-ng configuration file below, accepting messages on tcp or udp and storing them to a local file.
See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet