Forwarding to Syslog

Syslog refers to System Logging protocol. It is a standard chiefly used by network devices to send events and logs in a particular format to a centralized system for storage and analysis. A Syslog event includes severity level, host IP, timestamps, diagnostics information, and more.

Sysdig Event Forwarding allows you to send events gathered by Sysdig Secure to a Syslog server.

Prerequisites

Event forwards originate from region-specific IPs. For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to handle event forwarding.

Configure Standard Event Forwarding

To forward event data to a Syslog Server:

  1. Log in to Sysdig Secure as Admin and go to Profile > Settings > Event Forwarding.

  2. Click +Add Integration and choose Syslog from the drop-down menu.

  3. Configure the required options:

    Integration Name: Define an integration name.

    Address: Specify the Syslog server where the events are forwarded. Enter a domain name or IP address. If a domain name resolves to several IP addresses, the first resolved address is used.

    Port: Specify the port number.

    Protocol: Choose the protocol depending on the server you are sending the logs to:

    • RFC 3164: RFC 3164 is the older version of the protocol, default port and transport is 514/UDP.

    • RFC 5424: RFC 5424 is the current version of the protocol, default port and transport is 514/UDP

    • RFC 5425 (TLS): RFC 5425 (TLS) is an extension to RFC 5424 to use an encrypted channel, default port and transport is 6514/TCP. Select this option if you want to use a certificate uploaded via Sysdig’s Certificates Management tool.

    UDC/TCP: Define transport layer protocol UDP/TCP. Use TCP for security incidents, as it’s far more reliable than UDP for handling network congestion and preventing packet loss.

    • NOTE: RFC 5425 (TLS) only supports TCP.

    Certificate: (Optional) Select a certificate you’ve uploaded via Sysdig’s Certificates Management tool. Note that the RFC 5425 (TLS) protocol is required for you to see this field.

    Data to Send: Select from the drop-down the types of Sysdig data that should be forwarded. The available list depends on the Sysdig features and products you have enabled.

    Allow insecure connections: Toggle on if you want to allow insecure connections (i.e. invalid or self-signed certificate on the receiving side).

    Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.

  4. Click Save.

Configure Agent Local Forwarding

Review the configuration steps and use the following parameters for this integration.

TypeAttributeRequired?TypeAllowed valuesDefaultDescription
SYSLOGServicePortyesintport of the syslog server
SYSLOGServiceTypenostringtcp, udptcpprotocol, tcp or udp (case insensitive)
SYSLOGinsecurenobooltrueDoesn’t verify TLS certificate
SYSLOGMessageFormatyesstringRFC_3164, RFC_5424, RFC_5425The syslog message format. RFC5425 is TLS only
SYSLOGformatternostringJSON, LEEF, CEFJSONThe message content format