Syslog security restrictions and limits

Due to the security requirements for Syslog server connection, the following settings are fixed and cannot be changed:

Transport protocol: TLS

TCP port: 6514

For the same reasons there are additional requirements on the receiving Syslog server:

IP address: Globally routable IPv4 address

IDN names : Must use ASCII representation ("xn--")

FQDN: Must translate to a single fixed IPv4 address.


note

Using FQDN: If your Syslog server operates under multiple machines / IP addresses (CDN), there is no guarantee when and how often the FQDN is re-resolved. It is, however, guaranteed that the first FQDN resolution is completed within a 10-minute window after the server's start as long as the Syslog export is enabled and correctly configured.

CA root certificate validation of TLS connection: When TLS verification is enabled, the following requirements must be met to verify your server certificate:

Certificate validation must be enabled

The whole certificate chain in PEM format is uploaded and saved in the Syslog export configuration (this includes root CA, as there are no built-in trusted certificates)

Your Syslog server's certificate provides a Subject Alternative Name extension (DNS=/IP=), in which at least one record corresponds to the FQDN/IP hostname configuration.


note

Additional security settings:

Administrators should configure their Syslog server's firewall to allow incoming Syslog Export events only from the following IP ranges:

Outgoing IP addresses from ESET PROTECT Cloud in the Europe region: 51.136.106.164/30

Outgoing IP addresses from ESET PROTECT Cloud in the USA region: 40.81.8.148/30

Outgoing IP addresses from ESET PROTECT Cloud in the Japan region: 20.78.10.184/30