Issue
This article's intent is to help with troubleshooting failures getting Protect events to a syslog server.
Cause
Issues can typically arise from connectivity and/or configuration issues.
Resolution
Our main documentation for setting up syslog configurations can be found here.
Agent Configuration
There are three ways to configure syslogging for the agent's Protect events.
- UI: Within the server environment the agent belongs to here
- Configurations setup here will only apply to NEW servers and not existing ones
- Note: Each environment has its own configuration (PRODUCTION, QA and DEVELOPMENT)
- UI: In the server settings associated with the agent here
- Configuration is done here when the server will be static and already exists in the environment. Settings take about 5 minutes to make it down to a connected agent. Restart the agent for immediate results.
- Agent: Configured via YAML or ENV
- Applied on agent startup
Agent YAML example:
agent:
security_logger:
syslog:
enable: true
ip: syslog.acme.com
port: 514
facility: 19
severity_exploited: ALERT
severity_blocked: NOTICE
severity_blocked_perimeter: NOTICE
severity_probed: WARNING
severity_suspicious: WARNING
Agent ENV example:
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__ENABLE=true
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__IP=syslog.acme.com
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__PORT=514
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__FACILITY=19
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_EXPLOITED=ALERT
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_BLOCKED=NOTICE
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_BLOCKED_PERIMETER=NOTICE
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_PROBED=WARNING
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_SUSPICIOUS=WARNING
Note: The ip or host must be a DNS or API address. (not URLS)
Agent Connectivity
Syslog events come from the agent, not the Contrast servers, over UDP (typically port 514). Ensure the agent's system has connectivity to the syslog server.
Test connection to the port for the syslog server using netcat on Linux:
nc -vnzu <ip address of syslog server> 514
On Windows, you can use Microsoft's PortQry utility to send a test packet:
PortQry.exe -n <ip address> of syslog server -p udp -e 514
Check if the IP (if using one) is valid:
nslookup <ip address of syslog server>
Agent Activity & Logging
Ensure the agent's generating activity that would generate a syslogging event. You can check for this with in the Contrast UI --> Attacks --> Attack events.
The agent also saves all attack events locally to its Security.log file.
Agent's debug logging can also be turned on to valid the settings have been applied correctly to the agent as well as to see if the agent has attempted to send an event. These can be sent to Support for assistance.
-Dcontrast.agent.java.logger.enable_internal_logger_debugging=true
to enable additional logging (in both the agent log and to stdout) that explicitly indicates when an outgoing UDP syslog message is sent.
Syslog Server
Ensure the syslog server has a Data input sourcetype
of contrast_events
configured for UDP over the desired port. Typically 514
Search syslog events using eventtype="contrast_eventtype"