Integrate third-party Syslog tools

System logs or Syslogs are alerts generated for events such as unsafe perimeter traffic and anomalies and when the assets' and appliances' reachability and usability states change. For assets managed from an Xshield instance, the Xshield agents installed on the assets store the event logs and send them to the Xshield instance in real-time.

If you want to monitor and remediate alerts and Audit logs generated from an Xshield instance, on/by using third-party (Security Information and Event Management) SIEM tools, you can integrate the instance with a tool such as Splunk, Sumo Logic, and Kiwi Syslog Server. This is not an exhaustive list of tools you can integrate; we believe the integration should work with similar SIEM/Syslog tools.

We recommend that you understand more about the types of Xshield alerts, Alert categories, Severity levels, and default settings for the alerts before you plan to integrate a third-party Syslog tool. See Alerts reported on Xshield for more details.

Before you integrate

Here are some things you must know before you integrate a third-party Syslog tool with the instance.

You can integrate an Xshield instance with only One third-party Syslog tool.
The logs forwarded to the third-party tool are limited to the logs for the Xshield alerts you have enabled from the Xshield UI. You must enable alerts for all the events/logs you want to monitor on the third-party tool. See Enable alerts for more details.
Logs are forwarded to the third-party tool only after a successful connectivity check with the third-party setup's IP address or domain name.
Only logs generated after the successful integration are forwarded; logs/alerts generated before the integration are not forwarded.
You can choose to forward one or both alerts and audit logs. See Audit logs in Xshield for more details about Xshield audit logs. See Integrate a third-party Syslog tool for more details about how to forward alerts and/or audit logs.
Logs are forwarded in the RFC 5424 format. See Alerts reported on Xshield to understand the Priority values for the different types of logs/alerts forwarded from Xshield.
Logs indicate the name of the Xshield instance from which the logs are forwarded.
For integration with a cloud-based Syslog tool, you can use an SD/ID/token to identify the collector and source or its equivalent uniquely.
We strongly recommend that you use TLS and port 6514 to set up the integration for added security.

Set up collector and source or its equivalent

To integrate a third-party Syslog tool with Xshield, you will need the URL to the collector/source on the tool, the token that uniquely identifies this integration, and the port used to forward the logs.

Refer to the third-party tool's documentation to set up the source to collect logs from Xshield.

The image on the right shows the details necessary to integrate Sumo Logic with Xshield.

Integrate a third-party Syslog tool

Keep the IP address or domain name and SD-ID/token of the third-party tool and the protocol/port combination handy. You will need this during the integration.

Go to Settings > Configure > Syslog integration.
Click Set up now.
In the Syslog server text box, add the IP address or hostname of the third-party setup.

If you are using Sumo Logic, add the host of the source.
From the Protocol and Port list boxes, select the protocol and port used to forward the logs.

This must be the same as the one you have configured for the source or its equivalent on the third-party tool.

If you are using Sumo Logic, select TLS and 6514.
In the SD-ID text box, add the token of the source or its equivalent.
Select Network Alerts and Audit Logs if you want to forward both alerts and audit logs.
Click Test connection. If Xshield can successfully connect with the third-party Syslog setup, you can proceed.

Otherwise, the IP address/domain name, SD-ID, and/or Protocol/port combination are incorrect. Rectify these details to proceed.
Click Update.
Toggle the Enable switch located at the top-right corner.

Xshield starts forwarding the alerts/logs to the third-party Syslog setup in a few seconds.

Interpret alerts and Audit logs on third-party tools

Inspect the alerts and Audit logs on the third-party tool to see the details of the violations and state changes of the assets and appliances. The descriptions and images used in this section assume that you are using Sumo Logic as the third-party Syslog tool. Although the details sent with the logs do not differ by the third-party tool, we recommend looking at the third-party tool's documentation for more details about how to interpret the logs.

Alert/event log as seen on Sumo Logic	Details to observe
Inbound Scan (Critical)	Hostname and IP address of the destination asset and the range and number of ports on which the scan was detected Alert ID for the alert Start time and end time between which the scan was detected (Five or more inbound connection requests on the blocked ports) and the type of scan (Public or Lateral)
Unsafe Internet Communication (Medium)	Source and destination assets'/entities' tags (Environment and App), IP addresses, hostnames, and asset type (discovered or managed) Protocol, port, and process used and the direction of traffic (inbound or outbound) Type of threat the Internet entity poses, geographical location of the entity, and level of threat (high, medium, or low)
Unauthorized access to DB servers (Info)	Source and destination assets' tags (Environment and App), IP addresses, hostnames, and asset type (discovered or managed) Protocol, port, and process used and the direction of traffic (inbound or outbound)

Disable third-party Syslog tool integration

You can disable the integration with the third-party Syslog tool when you want to temporarily or permanently stop forwarding the logs to the third-party tool.

To disable the integration, toggle the Enable switch (turns Grey), located at the top-right corner of the Settings > Configure > Syslog integration page.

You will no longer see the details of the third-party Syslog setup.