Articles in this section

Remote Logging

  • Updated

What's New For 4.6

We've added two new formats to the output of Remote Logging: CEF, and JSON. Read on for details on each format.

What's it for?

Allows the Sentinel to log event data to a SIEM or remote syslog server. Configuration details and available formats are described below.

Configuration Details

Note: The IP address in the configuration must be publicly routable if the Sentinel is installed in public IP space. Therefore, if your log collector/forwarder or SEIM is located on the LAN with an internal IP address, you will need to configure your firewall or border device with a port forward to route the event data properly.

  • Remote Logging Status. When you're ready to send event data, select 'On'.
  • Format. There are three available formats: Legacy (our original pipe-delimited format meant for syslog servers), CEF, and JSON. There are described in their own section below.
  • Protocol. You can choose TLS, TCP, or UDP. TLS protocol is encrypted on the wire, while TCP and UDP are not. We recommend TLS or TCP, since they allow the Sentinel to hold the alert data in a queue in case communication to the remote server is lost temporarily. When communication is restored, the queued data is forwarded to the remote server, and there are no gaps in the timeline of the activity. Due to its stateless nature, UDP cannot queue data and makes no consideration for lost connections.
  • Log Server IP. The IP address of the receiving server. Or, if you're routing the event data through an edge device with one-to-one NAT or port forwards, this might be an IP on that edge device.
  • Port. Port to use for sending the event data. Defaults to the standard syslog port of 514.

Log Formats

Legacy

A pipe-delimited, syslog-friendly format that includes, in order:

  • The device and its IP separated by an underscore
  • Timestamp
  • Source IP
  • Source Port
  • Destination IP
  • Destination Port
  • Severity
  • Flow
  • EPS Event? True/False
  • Alert Only Event? True/False
  • Reputation-based Event? True/False
  • Event Type/Message
Here is sample output from the Legacy format:
Sentinel_203.0.113.2|2019-03-25T13:19:21.652510+0000|222.139.82.124|31038|203.0.113.14|23|1|inbound|False|False|False|CINS Rogue Packet Activity Detected (TCP)

 

CEF

The ArcSight Common Event Format. The header is pipe-delimited, and includes:

CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|

The Extension fields after the final pipe are key=value pairs, and include:

  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • Flow
  • Sentinel IP
  • Sentinel Location
  • Event Type/Message
  • Protocol
  • Timestamp
  • EPS Event? True/False
  • Alert Only Event? True/False
  • Reputation-based Event? True/False

Sample output from the CEF Format:

CEF:0|Nomic Networks|Outpost|4.6.0|9000000|Event|1|src=185.176.27.14 dst=203.0.113.14 spt=48151 dpt=28096 flow=inbound sentinel_ip=203.0.113.2 sentinel_loc=Springfield Sector 7G msg=CINS Rogue Packet Activity Detected (TCP) proto=TCP rt=2019-03-25T13:20:26.018197+0000 is_eps=False is_ao=False is_rep=False

Prior to version 4.7.1, our old company name was used in the Device Vendor field, as shown here:

CEF:0|Sentinel IPS|Outpost|4.6.0|9000000|Event|1|src=185.176.27.14 dst=203.0.113.14 spt=48151 dpt=28096 flow=inbound sentinel_ip=203.0.113.2 sentinel_loc=Springfield Sector 7G msg=CINS Rogue Packet Activity Detected (TCP) proto=TCP rt=2019-03-25T13:20:26.018197+0000 is_eps=False is_ao=False is_rep=False

 

JSON

Simple key:value pairs in a flat JSON format. Includes:

  • Sentinel IP
  • Sentinel Location
  • Timestamp
  • Event Type/Message
  • Signature ID
  • Severity
  • Source IP
  • Destination IP
  • Source Port
  • Destination Port
  • Flow
  • Protocol
  • EPS Event? True/False
  • Alert Only Event? True/False
  • Reputation-based Event? True/False

 Sample output in JSON format:

{"sentinel_ip": "203.0.113.2", "sentinel_loc": "Springfield Sector 7G", "ts": "2019-03-25T13:20:59.487698+0000", "msg": "CINS Rogue Packet Activity Detected (TCP)", "sid": 9000000, "sev": 1, "src": "200.52.43.55", "dst": "203.0.113.14", "spt": 35633, "dpt": 23, "flow": "inbound", "proto": "TCP", "is_eps": false, "is_ao": false, "is_rep": false} 

Related articles

Comments

0 comments

Article is closed for comments.