ESET Cloud Office Security – Table of Contents

Syslogs

Copy current article URL Share via email

This article (PDF) Whole documentation (PDF)

ESET Cloud Office Security can export logged events listed in Detections and send them to your syslog server. You can export events for Exchange Online/Gmail, OneDrive/Google Drive, Team groups and SharePoint Online. Set up multiple syslog exports if required; for example, you can have one syslog for each tenant or any combination of tenants and events. You can activate/deactivate existing syslog exports by editing them.

To add or modify a syslog export, follow these steps:

1.Click New Syslog to open a template and set custom settings.

2.Type a Name and and enable the status toggle.

3.Select tenants by clicking Select and checking the desired tenants.

4.Select one of the following formats for event messages:

•CEF (Common Event Format)

•LEEF (Log Event Extended Format) - format used by IBM's application QRadar.

•JSON (JavaScript Object Notation)

•ECS (Elastic Common Schema) - v8.17 format

IP/Hostname

Enter the IP/Hostname and connection details to your syslog server.

Port

The pre-defined port for the syslog server connection is 6514. You can change the port number within the range of 6400-6600 to match your syslog server port if it is different than 6514.

•Transport protocol: TLS (requires a valid server SSL/TLS certificate issued by a trusted Certificate Authority)

•Default TCP port: 6514

Due to the security requirements for syslog server connection, there are additional requirements on the receiving syslog server:

•IP address: Globally routable IPv4 address

•IDN names: Must use ASCII representation ("xn--")

•FQDN: Must translate to a single fixed IPv4 address

Terminate the log with newline character

Enable this option to add a newline character (\n) at the end of each syslog message for proper logging in Logstash when the TCP connection is kept open. Otherwise, logs will be written in a single line.

Log detections

Select the log events you want to export to your syslog server.

Optional fields for scan logs

Select the fields you want to include in the syslog messages.

Send audit logs

Audit logs will be sent out as part of the scan logs. Additionally, you can use the Send test log to ensure the functionality.

Use a custom certificate

To enable certificate validation for the connection between your Syslog server and ESET Cloud Office Security. After enabling the validation, a new text field will be displayed where you can copy and paste the required certificate chain. The server certificate must meet the following requirements:

•The whole certificate chain in PEM format is uploaded and saved in the Syslog export configuration (this includes root CA, as there are no built-in trusted certificates)

•Your Syslog server's certificate provides a Subject Alternative Name (SAN) extension (DNS=/IP=), with at least one record corresponding to the fully qualified domain name (FQDN) or IP address configured.

Additional security settings

Ensure your syslog server firewall settings allow connection from the following IP addresses:

•Outgoing IP address from ESET Cloud Office Security in the US region: 40.83.165.184

•Outgoing IP address from ESET Cloud Office Security in the EU region: 51.144.165.221

•Outgoing IP address from ESET Cloud Office Security in the DE region: 4.184.182.90

•Outgoing IP address from ESET Cloud Office Security in the CA region: 52.228.24.113

˄˅