Syslog tab

In the Syslog tab, up to four profiles can be configured to send logs to Syslog servers.

To increase the security of sent logs, Syslog servers must be configured with RGS-compliant algorithms.

Syslogs are text files in UTF-8 and follow the WELF standard. The WELF format is a sequence of elements, written in the form of field=value and separated by spaces. Values may be framed by double quotes.

A log corresponds to a line ending with a return carriage (CRLF).

Syslog profiles

Status Enables or disables the syslog profile by double-clicking.
Name Displays the name of the syslog profile.

Details

The configuration of the syslog profile selected in the grid on the left can be viewed or modified in this zone.

Name Name assigned to the syslog profile.
Comments Comments can be entered in this field.
Syslog server Select or create a host object corresponding to the syslog server. Groups cannot be selected.
Protocol Select the protocol used for sending logs to the server:
  • UDP (possible loss of messages - messages sent in plaintext),
  • TCP (reliable - messages sent in plaintext),
  • TLS (reliable - messages encrypted).

NOTE
TLS is recommended.

Port Port used by syslog server.
Certification authority This field will only be active when the protocol selected is TLS.
Indicate the certification authority (CA) that signed the certificate that the firewall and server will present in order to authenticate mutually.
Server certificate

This field will only be active when the protocol selected is TLS.
Select the certificate that the Syslog server will need to present in order to authenticate on the firewall.

The icon indicates certificates with a TPM-protected private key. For more information on the TPM, see the section Trusted Platform Module.

Client certificate

This field will only be active when the protocol selected is TLS.
Select the certificate that the firewall will need to present in order to authenticate on the Syslog server.

The icon indicates certificates with a TPM-protected private key. For more information on the TPM, see the section Trusted Platform Module.

Ensure that the syslog server has the selected client certificate. You can export the certificate as a P12 file in Configuration > Objects > Certificates and PKI.

Format Choose the Syslog format to use:
  • LEGACY (format limited to 1024 character for each Syslog message),
  • LEGACY-LONG (no limit on message length),
  • RFC5424 (format compliant with RFC 5424).

Advanced properties

Backup server

This field will only be active when the protocol selected is TLS or TCP.

Select or create a host object corresponding to the backup syslog server. Groups cannot be selected.

Backup port

This field will only be active when the protocol selected is TLS or TCP.

Port used by the backup syslog server.

Category (facility) Associates an application system with the logs sent to the syslog server.
Sekoia Intake Key

If you have a subscription allowing you to send data to sekoia.io servers, enter the authentication key provided by Sekoia. This key comprises 32 characters.

Erase the key that was entered in this field, and confirm the configuration to disable this service.

NOTE
This field will only be shown when the syslog format RFC 5424 and TLS have been selected.

Logs enabled

In this table, the logs that need to be sent to the syslog server can be selected.

Status Enables or disables sending the selected log file. Double-click on it to change its status.
Name Type of logs to be sent (Alarm, Connection, Web, Filter…).