Skip to main content

Syslog v2

This Integration is part of the Syslog Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

A Syslog server enables opening incidents automatically from Syslog clients. This integration supports converting to incidents, filtered logs or all logs. This integration was integrated and tested with RFC3164 and RFC5424 formats of Syslog.

Notes#

  • Important: Supported log formats: RFC3164, RFC5424, RFC6587 (with RFC3164 or RFC5424)
  • Important: Do not use an engine group for this integration. It can cause the integration to run on a different engine, and the Syslog server may send logs to an IP for which Syslog is not configured.
  • The integration does not support encrypted private keys.

Configure Syslog v2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Instances.

  2. Search for Syslog v2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Port mappingThe listening port to receive Syslog message on (<port> or <host port>:<docker port>)True
    Certificate (Required for HTTPS)Required for HTTPS if not using server reroutingFalse
    Private Key (Required for HTTPS)Required for HTTPS if not using server reroutingFalse
    Message Regex Filter For Incidents CreationCreates an incident in Cortex XSOAR for every received log message that matches this regex.False
  4. Click Test to validate the connection.

Troubleshooting#

To receive incidents, the Syslog engine listens on a configured port that needs to be available for external in-coming traffic. There may be cases that docker is configured not to expose the port for external in-comming traffic. In this case, you can use host networking and not the docker based networking. Enable host networking usage by adding the following server configuration (Settings > About > Troubleshooting > Add Server Configuration):

  • Key: python.pass.extra.keys.demisto/syslog
  • Value: --network=host

If listening on a port less than 1024 and running with the Docker Hardening configuration, you may need to disable the "run with non-root internal user" setting for the Syslog integration to listen on the host networking on a lower port. From more information, see Run Docker with Non-Root Internal User and the Docker Hardening Guide. You can disable this setting by adding the following server configuration:

  • Key: docker.run.internal.asuser.ignore
  • Value: demisto/syslog

If the integration is running via an engine, you need to add this setting to the engine configuration either via the d1.conf file or in the Server Settings->Engines-> Edit Configuration.