Trouble getting Protect events to my syslog server

  • Updated

Issue

This article's intent is to help with troubleshooting failures getting Protect events to a syslog server. 

Cause

Issues can typically arise from connectivity and/or configuration issues.  

Resolution

Our main documentation for setting up syslog configurations can be found here

Agent Configuration

There are three ways to configure syslogging for the agent's Protect events. 

  • UI: Within the server environment the agent belongs to here
    • Configurations setup here will only apply to NEW servers and not existing ones
    • Note: Each environment has its own configuration (PRODUCTION, QA and DEVELOPMENT)
  • UI: In the server settings associated with the agent here
    • Configuration is done here when the server will be static and already exists in the environment.  Settings take about 5 minutes to make it down to a connected agent.  Restart the agent for immediate results.
  • Agent: Configured via YAML or ENV
    • Applied on agent startup

Agent YAML example:

agent:
security_logger:
syslog:
enable: true
ip: syslog.acme.com
port: 514
facility: 19
severity_exploited: ALERT
severity_blocked: NOTICE
severity_blocked_perimeter: NOTICE
severity_probed: WARNING
severity_suspicious: WARNING

Agent ENV example:

CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__ENABLE=true
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__IP=syslog.acme.com
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__PORT=514
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__FACILITY=19
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_EXPLOITED=ALERT
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_BLOCKED=NOTICE
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_BLOCKED_PERIMETER=NOTICE
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_PROBED=WARNING
CONTRAST__AGENT__SECURITY_LOGGER__SYSLOG__SEVERITY_SUSPICIOUS=WARNING

Note: The ip or host must be a DNS or API address.  (not URLS)

Agent Connectivity

Syslog events come from the agent, not the Contrast servers, over UDP (typically port 514).   Ensure the agent's system has connectivity to the syslog server. 

Test connection to the port for the syslog server using netcat on Linux:

nc -vnzu <ip address of syslog server> 514

On Windows, you can use Microsoft's PortQry utility to send a test packet:

PortQry.exe -n <ip address> of syslog server -p udp -e 514

Check if the IP (if using one) is valid:

nslookup <ip address of syslog server>

Agent Activity & Logging

 Ensure the agent's generating activity that would generate a syslogging event.  You can check for this with in the Contrast UI --> Attacks --> Attack events. 

 The agent also saves all attack events locally to its Security.log file.

 

Agent's debug logging can also be turned on to valid the settings have been applied correctly to the agent as well as to see if the agent has attempted to send an event.  These can be sent to Support for assistance. 

For Java agent version 6.5.3 and above you can also add -Dcontrast.agent.java.logger.enable_internal_logger_debugging=true to enable additional logging (in both the agent log and to stdout) that explicitly indicates when an outgoing UDP syslog message is sent. 

 

Syslog Server

Ensure the syslog server has a Data input sourcetype of contrast_events configured for UDP over the desired port.  Typically 514

 

Search syslog events using eventtype="contrast_eventtype"

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request