How to Configure and Use Syslog and Serilog Sinks?
Syslog Configuration
Recommended Tools:
- Visual Syslog Server (recommended)
- Syslog Watcher Manager (Note: Has a limit of 5000 messages/hour)
Configuration Steps:
Currently, we support Syslog (UDP) using the RFC5424 Output format for external logger configuration.
To visualize MetaDefender Storage Security audit logs centrally, integrate a Syslog (UDP) server using these details:
- Server address: IPv4, IPv6, and Host Name formats supported.
- Port: Specified Syslog server port.
- Syslog Facility: As per configuration needs.
- Output format: RFC5424.
You can add up to 5 external logger configurations of each type.
Syslog Message Format
RFC5424 message format is supported:
<PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID MSGID STRUCTURED-DATA MSG
- PRI: Priority value
- VERSION: Syslog protocol specification version
- TIMESTAMP: Formalized timestamp
- HOSTNAME: Sending machine
- APP-NAME: Application or device originating message
- PROCID: Process name or ID
- MSGID: Message type
- STRUCTURED-DATA: Parsable data format
- MSG: Informative free-form message
Example Syslog Message
<110>1 2024-03-26T12:27:58.276724+02:00 LP10-D8569 MetaDefenderStorageSecurity 36800 - [meta UserName="jdavis" UserId="e69e8c2d-4dcc-4489-8f40-0df84199de52" EventTimestamp="03/26/2024 10:27:58" Category="3" LogType="600"] John Davis (jdavis) logged in.
Serilog Sinks
What is Serilog?
Serilog is a structured logging library for .NET applications, which allows logging to various destinations called sinks, including Syslog, files, HTTP endpoints, and console.
Commonly Used Serilog Sinks and Configurations:
- Serilog.Sinks.Syslog
Logs events to remote syslog servers via UDP or TCP, supporting RFC3164 and RFC5424 formats.
"WriteTo": [
{
"Name": "TcpSyslog",
"Args": {
"host": "<ip_host>",
"port": 514,
"appName": "<your_app_name>",
"format": "RFC5424",
"facility": "<facility_name>",
"outputTemplate": "[{Timestamp:u}] [{Level}] {SourceContext}: {Message:lj}{NewLine}{Exception}"
}
}
]
- Serilog.Sinks.Http
Sends log events via HTTP/S to remote endpoints.
"WriteTo": [
{
"Name": "Http",
"Args": {
"requestUri": "<your_request_uri>",
"queueLimitBytes": null
}
}
]
- Serilog.Sinks.Console
Writes log events to the console.
"WriteTo": [
{
"Name": "Console",
"Args": {
"outputTemplate": "[{Timestamp:u}] [{Level}] {Namespace}: {Message:lj}{NewLine}{Exception}"
}
}
]
- Serilog.Sinks.File
Writes logs to a file.
"WriteTo": [
{
"Name": "File",
"Args": {
"buffered": false,
"fileSizeLimitBytes": 500000000,
"outputTemplate": "[{Timestamp:u}] [{Level}] {Namespace}: {Message:lj}{NewLine}{Exception}",
"path": "logs/log.txt",
"retainedFileCountLimit": "10",
"rollingInterval": "Day",
"rollOnFileSizeLimit": true
}
}
]
Testing & Validation:
Use tools like Visual Syslog Server or test HTTP endpoints to validate your logging configurations and ensure logs are captured correctly.
If Further Assistance is required, please proceed to log a support case or chatting with our support engineer.