CEF Syslog Feedback
The broker component can be configured to send a CEF syslog summary string to any endpoint via TCP or UDP.
The CEF syslog feedback is generated and sent to the configured endpoint when the main transform task and all its subtasks are in a final processing state.
To modify the syslog feedback configuration:
Step #1 - Open /home/sandbox/sandbox/broker.cfg in a text editor
Step #2 - Add or modify the following properties (no need to overwrite default values):
############################### CEF Syslog Feedback settings##############################cefSyslogEnabled=falsecefSyslogHost=cefSyslogPort=514cefSyslogProtocol=tcpcefSyslogTimeoutMs=10000cefSyslogUseSSL=false# Syslog header configsyslogHeaderPrivalFacility=16syslogHeaderPrivalSeverity=6syslogHeaderHost=Step #3 - Save the file and restart the sandbox service
Property details
| Property Name | Default Value | Description |
|---|---|---|
| cefSyslogEnabled | false | Main switch to enable / disable CEF syslog feedback |
| cefSyslogHost | - | Host name or IP address of the log server |
| cefSyslogPort | 514 | Port of the log server |
| cefSyslogProtocol | tcp | Connection protocol to use: tcp or udp |
| cefSyslogTimeoutMs | 10 seconds | Connection timeout used for TCP sockets |
| cefSyslogUseSSL | false | Switch to enable / disable SSL verification for TCP sockets |
| syslogHeaderPrivalFacility | 16 | Facility value used in the syslog header |
| syslogHeaderPrivalSeverity | 6 | Severity value used in the syslog header |
| syslogHeaderHost | - | The hostname value is used in the syslog header. If not configured, the application will try to detect and use the local hostname. |
Since the broker is running in a dockerized environment, the detected hostname might not be useful, therefore it is possible to set a user defined hostname which will be used in the syslog header.
Example CEF syslog message:
<134>1 2024-09-05T08:04:24.410Z hostname - - - - CEF:0|OPSWAT Inc.|broker|1.1.0-53dd79f|transform-file|OPSWAT Sandbox scan result|6|cs1Label=Task ID cs1=6c77d761-6958-4e2a-aa7c-88de393c4cf1 cs2Label=SHA256 cs2=6c297c89d32d7fb5c6d10b1da2612c9557a5126715c4a78690d5d8067488f5f2 cs3Label=Media Type cs3=application/x-ms-installer cs4Label=Date cs4=2024-09-05 10:17+0200249 cs5Label=All Tags cs5=expand,fingerprint,lolbin,msi cs6Label=All Signal Group IDs cs6=H061,S007,R007,H071,PE000,SIGG038,I001Scan verdict and CEF severity mapping
| Scan verdict | CEF severity |
|---|---|
| BENIGN | 0 |
| NO_THREAT | 1 |
| SUSPICIOUS | 3 |
| LIKELY_MALICIOUS | 6 |
| MALICIOUS | 9 |
| UNKNOWN | 0 |
Test syslog integration
The syslog integration can be tested with the help of a commonly used syslog server like syslog-ng. You can find an example syslog-ng configuration file below, accepting messages on tcp or udp and storing them to a local file.
@version: 3.35source s_net { syslog( ip("0.0.0.0") port(514) transport("udp") ); syslog( ip("0.0.0.0") port(514) transport("tcp") );};destination d_file { file("/syslog");};log {source(s_net); destination(d_file); };
