Title
Create new category
Edit page index title
Edit category
Edit link
CEF Syslog Feedback
The broker component can be configured to send a CEF syslog summary string to any endpoint via TCP or UDP.
The CEF syslog feedback is generated and sent to the configured endpoint when the main transform task and all its subtasks are in a final processing state.
To modify the syslog feedback configuration:
Step #1 - Open /home/sandbox/sandbox/broker.cfg in a text editor
Step #2 - Add or modify the following properties (no need to overwrite default values):
Step #3 - Save the file and restart the sandbox service
Property details
Property Name | Default Value | Description |
|---|---|---|
cefSyslogEnabled | false | Main switch to enable / disable CEF syslog feedback |
cefSyslogHost | Host name or IP address of the log server | |
cefSyslogPort | 514 | Port of the log server |
cefSyslogProtocol | tcp | Connection protocol to use: tcp or udp |
cefSyslogTimeoutMs | 10 seconds | Connection timeout used for TCP sockets |
cefSyslogUseSSL | false | Switch to enable / disable SSL verification for TCP sockets |
syslogHeaderPrivalFacility | 16 | Facility value used in the syslog header |
syslogHeaderPrivalSeverity | 6 | Severity value used in the syslog header |
syslogHeaderHost | The hostname value is used in the syslog header. If not configured, the application will try to detect and use the local hostname. |
Since the broker is running in a dockerized environment, the detected hostname might not be useful, therefore it is possible to set a user defined hostname which will be used in the syslog header.
Syslog Message Format in Sandbox
Sandbox uses the standardized Syslog message format, following Syslog Protocol Version 1.
Base Format
Date Host CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
This format complies with the Common Event Format (CEF) standard, ensuring compatibility and reliable parsing by SIEM tools and other log management systems.
References to Syslog Standards
For a deeper understanding of the Syslog message format and transport methods, refer to the following RFCs:
Syslog Protocol (RFC 5424) – Defines the overall message structure 📄 RFC 5424 - Syslog Protocol
Syslog over TLS (RFC 5425) – For secure transmission over TLS 📄 RFC 5425 - Syslog over TLS
Syslog over UDP (RFC 5426) – For lightweight, best-effort delivery 📄 RFC 5426 - Syslog over UDP
Example CEF syslog message:
Scan verdict and CEF severity mapping
Scan verdict | CEF severity |
|---|---|
BENIGN | 0 |
NO_THREAT | 1 |
SUSPICIOUS | 3 |
LIKELY_MALICIOUS | 6 |
MALICIOUS | 9 |
UNKNOWN | 0 |
Test syslog integration
The syslog integration can be tested with the help of a commonly used syslog server like syslog-ng. You can find an example syslog-ng configuration file below, accepting messages on tcp or udp and storing them to a local file.
See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet