“Syslog” tab

The Syslog tab allows configuring up to 4 profiles for sending logs to Syslog servers.

You can send logs to the Stormshield Visibility Center (SVC) server, Stormshield's monitoring solution, in Syslog format. Please refer to the SVC administration guide that you will find on the Stormshield Technical Documentation website.

Logs are in UTF-8 text format following the WELF standard. The WELF format is a sequence of elements, written in the form of field=value and separated by spaces. Values may be framed by double quotes.

A log corresponds to a line ending with a return carriage (CRLF).

Table of Syslog profiles

The table that presents the profiles consists of 2 columns:

State

Double-clicking on this allows enabling or disabling the profile.

Profile

Displays the name of the Syslog profile

Configuring a profile

Details

Name

Name assigned to the Syslog profile.

Comments

Comments can be entered in this field.

Syslog server

Select or create a host object corresponding to the Syslog server. Groups cannot be selected.

Protocol

Select the protocol used for sending logs to the server:

  • UDP (possible loss of messages - messages sent in plaintext),
  • TCP (reliable - messages sent in plaintext),
  • TLS (reliable - messages encrypted).
 
Certification authority

This field will only be active when the protocol selected is TLS.

 

Indicate the certificate authority (CA) that signed the certificate that the firewall and server will present in order to authenticate mutually.

Server certificate

This field will only be active when the protocol selected is TLS.

 

Select the certificate that the Syslog server will need to present in order to authenticate on the firewall.

Client certificate

This field will only be active when the protocol selected is TLS.

 

Select the certificate that the firewall will need to present in order to authenticate on the Syslog server.

Format

Choose the Syslog format to use:

  • LEGACY (format limited to 1024 character for each Syslog message),
  • LEGACY-LONG (no limit on message length),
  • RFC5424 (format compliant with RFC 5424).

Advanced properties

Backup server

This field will only be active when the protocol selected is TCP or TLS.

 

In this case, a server can be specified, to which Syslog messages will be sent in the event the nominal server is unavailable. 10 minutes after having switched its traffic to the backup server, the firewall will attempt to contact the nominal server again. In the event of a failure, the firewall will continue to send its traffic to the backup server while regularly retrying to contact the nominal server.

Backup port

This field will only be active when the protocol selected is TCP or TLS.

 

This is the listening port of the backup Syslog server.

Category (facility) Number added to the beginning of a log line. It can be used to differentiate several firewalls appliances when they send their logs to the same Syslog server.

Logs enabled

This table allows selecting the type of logs that need to be sent to the Syslog server.

Status

Makes it possible to enable the sending of the selected log file.

Name

Type of logs to be sent (Alarm, Connection, Web, Filter…).