CEF Syslog Feedback

The broker component can be configured to send a CEF syslog summary string to any endpoint via TCP or UDP.

The CEF syslog feedback is generated and sent to the configured endpoint when the main transform task and all its subtasks are in a final processing state.

To modify the syslog feedback configuration:

Step #1 - Open /home/sandbox/sandbox/broker.cfg in a text editor

Step #2 - Add or modify the following properties (no need to overwrite default values):

############################## # CEF Syslog Feedback settings ############################## cefSyslogEnabled=false cefSyslogHost= cefSyslogPort=514 cefSyslogProtocol=tcp cefSyslogTimeoutMs=10000 cefSyslogUseSSL=false # Syslog header config syslogHeaderPrivalFacility=16 syslogHeaderPrivalSeverity=6 syslogHeaderHost=

Step #3 - Save the file and restart the sandbox service

Property details

Property Name

Default Value

Description

cefSyslogEnabled

false

Main switch to enable / disable CEF syslog feedback

cefSyslogHost


Host name or IP address of the log server

cefSyslogPort

514

Port of the log server

cefSyslogProtocol

tcp

Connection protocol to use: tcp or udp

cefSyslogTimeoutMs

10 seconds

Connection timeout used for TCP sockets

cefSyslogUseSSL

false

Switch to enable / disable SSL verification for TCP sockets

syslogHeaderPrivalFacility

16

Facility value used in the syslog header

syslogHeaderPrivalSeverity

6

Severity value used in the syslog header

syslogHeaderHost


The hostname value is used in the syslog header. If not configured, the application will try to detect and use the local hostname.

syslogHeaderHost

Since the broker is running in a dockerized environment, the detected hostname might not be useful, therefore it is possible to set a user defined hostname which will be used in the syslog header.

Syslog Message Format in Sandbox

Sandbox uses the standardized Syslog message format, following Syslog Protocol Version 1.

Base Format

Date Host CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]

This format complies with the Common Event Format (CEF) standard, ensuring compatibility and reliable parsing by SIEM tools and other log management systems.

References to Syslog Standards

For a deeper understanding of the Syslog message format and transport methods, refer to the following RFCs:

Example CEF syslog message:

<134>1 2024-09-05T08:04:24.410Z hostname - - - - CEF:0|OPSWAT Inc.|broker|1.1.0-53dd79f|transform-file|OPSWAT Sandbox scan result|6|cs1Label=Task ID cs1=6c77d761-6958-4e2a-aa7c-88de393c4cf1 cs2Label=SHA256 cs2=6c297c89d32d7fb5c6d10b1da2612c9557a5126715c4a78690d5d8067488f5f2 cs3Label=Media Type cs3=application/x-ms-installer cs4Label=Date cs4=2024-09-05 10:17+0200249 cs5Label=All Tags cs5=expand,fingerprint,lolbin,msi cs6Label=All Signal Group IDs cs6=H061,S007,R007,H071,PE000,SIGG038,I001

Scan verdict and CEF severity mapping

Scan verdict

CEF severity

BENIGN

0

NO_THREAT

1

SUSPICIOUS

3

LIKELY_MALICIOUS

6

MALICIOUS

9

UNKNOWN

0

Test syslog integration

The syslog integration can be tested with the help of a commonly used syslog server like syslog-ng. You can find an example syslog-ng configuration file below, accepting messages on tcp or udp and storing them to a local file.

@version: 3.35 source s_net { syslog( ip("0.0.0.0") port(514) transport("udp") ); syslog( ip("0.0.0.0") port(514) transport("tcp") ); }; destination d_file { file("/syslog"); }; log {source(s_net); destination(d_file); };