Export logs to Syslog
ESET PROTECT On-Prem can export certain logs and events to your Syslog server. Events are generated on any managed client computer running an ESET application (for example, ESET Endpoint Security). These events can be processed by any Security Information and Event Management (SIEM) solution that can import events from a Syslog server. ESET PROTECT On-Prem sends the events to the Syslog server.
Follow the steps below to configure a Syslog server:
1.Navigate to More > Settings > Export > Add Syslog server.
You can configure up to five Syslog servers. |
2.Enable the Enable syslog settings to send events toggle to enable the Syslog server configured below.
3.In Log settings, select the log categories from which the event logs will be exported to the Syslog server:
•Detection—Configure ESET PROTECT Server to send the following detection categories to your Syslog server: Antivirus, Firewall, HIPS, Web protection (filtered websites), Blocked files and ESET Inspect.
•Audit—Configure ESET PROTECT Server to send Audit logs to your Syslog server.
•Notification—Configure ESET PROTECT Server to send Notifications to your Syslog server. Define a filter in a Notification log category to filter event logs sent to Syslog.
You cannot use Syslog for notifications with other events because the formats are not compatible. Notifications are sent in a plain text format. |
Syslog users have access to all exported logs. All audit log messages are exported to Syslog. |
4.Specify the Host—IP address or hostname for the Syslog server.
5.Type the Port number—the default value is 514.
6.Select the Version—BSD (specification) or Syslog (specification).
7.In Format, select the event message log format:
Notifications are sent in a plain text format. |
•JSON (JavaScript Object Notation)
•CEF (Common Event Format)—format developed by ArcSight.
•LEEF (Log Event Extended Format)—format used by IBM's application QRadar.
8.Select the Transport protocol for sending messages to Syslog (UDP, TCP, TLS).
9.Optionally, you can enable the Octet-counted framing. When enabled, each Syslog message transmitted over TLS is prefixed with its length in octets (bytes), allowing the receiver system to determine the message length (specification).
10. Click Finish.
•The regular application log file is continuously updated. Syslog exports only certain asynchronous events, such as notifications or various client computer events. •To adjust logging verbosity, click More > Settings > Advanced > Logging > Trace log verbosity. |
In More > Settings > Export, you can see and edit the list of configured Syslog servers. Click the three dots
icon next to the configured Syslog server and select:
•
Edit—Edit the selected Syslog server configuration.
•
Delete—Remove the selected Syslog server configuration.