Syslog Sender
This Integration is part of the Syslog Pack.#
Supported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Overview#
Use the Syslog Sender integration to send messages in RFC 5424 message format and mirror incident War Room entries to Syslog.
Use Cases#
- Send messages to Syslog via TCP or UDP or TLS.
- Mirror incident war room entries to Syslog.
Configure Syslog Sender on Cortex XSOAR#
Usage example for rsyslog#
To allow sending messages to rsyslog via Cortex XSOAR, the following lines have to be in the rsyslog configuration:
For TCP:
For UDP:
Integration configuration#
- Navigate to Settings > Integrations > Servers & Services.
- Search for Syslog Sender.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- IP Address (e.g. 127.0.0.1)
- Port
- Protocol (TCP / UDP)
- Minimum severity of incidents to send messages on
- Log level to send
- Facility
- Long running instance. Required for investigation mirroring.
- Incident type
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- mirror-investigation
- send-notification
1. mirror-investigation#
Mirrors the investigation's War Room to syslog.
Base Command#
mirror-investigation
Input#
| Argument Name | Description | Required |
|---|---|---|
| type | The mirroring type. Can be "all", which mirrors everything, "chat", which mirrors only chats (not commands), or "none", which stops all mirroring. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!mirror-investigation
Human Readable Output#
Investigation mirrored successfully.
2. send-notification#
Sends a message to syslog.
Base Command#
send-notification
Input#
| Argument Name | Description | Required |
|---|---|---|
| message | The message content. | Optional |
| entry | An entry ID to send as a link. | Optional |
| ignoreAddURL | Whether to include a URL to the relevant component in Cortex XSOAR. Can be "true" or "false". The default value is "false'. | Optional |
| level | Log level to send. Can be "DEBUG", "INFO", "WARNING", "ERROR", or "CRITICAL". | Optional |
Context Output#
There is no context output for this command.
Command Example#
!send-notification message=Test ignoreAddURL=true
Human Readable Output#
Message sent to Syslog successfully.
3. syslog-send#
Send a message to Syslog
Base Command#
syslog-send
Input#
| Argument Name | Description | Required |
|---|---|---|
| message | The message content. | Optional |
| level | The log level to send. Can be "DEBUG", "INFO", "WARNING", "ERROR", or "CRITICAL". | Optional |
| address | The Syslog server address. | Optional |
| protocol | The protocol to use | Optional |
| port | The Syslog server port (required for TCP or UDP protocols). | Optional |
| facility | The Syslog facility. | Optional |
Context Output#
There is no context output for this command.
Command Example#
!syslog-send address=127.0.0.1 port=514 protocol=TCP message=yo level=ERROR
Human Readable Output#
Message sent to Syslog successfully.
Troubleshooting#
Make sure you can access the Syslog server on the provided IP address and the port is open.