Forwarding to Syslog
Sysdig Event Forwarding allows you to send events gathered by Sysdig Secure to a Syslog server.
Event forwards originate from region-specific IPs. For the full list of outbound IPs by region, see SaaS Regions and IP Ranges. Update your firewall and allow inbound requests from these IP addresses to enable Sysdig to handle event forwarding.
Configure Standard Event Forwarding
To forward event data to a Syslog Server:
Log in to Sysdig Secure as Admin and go to Profile > Settings > Event Forwarding.
Click +Add Integration and choose Syslog from the drop-down menu.
Configure the required options:
Integration Name: Define an integration name.
Address: Specify the Syslog server where the events are forwarded. Enter a domain name or IP address. If a domain name resolves to several IP addresses, the first resolved address is used.
Port: Specify the port number.
Protocol: Choose the protocol depending on the server you are sending the logs to:
RFC 3164: RFC 3164 is the older version of the protocol, default port and transport is 514/UDP.
RFC 5424: RFC 5424 is the current version of the protocol, default port and transport is 514/UDP
RFC 5425 (TLS): RFC 5425 (TLS) is an extension to RFC 5424 to use an encrypted channel, default port and transport is 6514/TCP. Select this option if you want to use a certificate uploaded via Sysdig’s Certificates Management tool.
UDC/TCP: Define transport layer protocol UDP/TCP. Use TCP for security incidents, as it’s far more reliable than UDP for handling network congestion and preventing packet loss.
- NOTE: RFC 5425 (TLS) only supports TCP.
Certificate: (Optional) Select a certificate you’ve uploaded via Sysdig’s Certificates Management tool. Note that the RFC 5425 (TLS) protocol is required for you to see this field.
Data to Send: Select from the drop-down the types of Sysdig data that should be forwarded. The available list depends on the Sysdig features and products you have enabled.
Allow insecure connections: Toggle on if you want to allow insecure connections (i.e. invalid or self-signed certificate on the receiving side).
Toggle the enable switch as necessary. Remember that you will need to “Test Integration” with the button below before enabling the integration.
Configure Agent Local Forwarding
Review the configuration steps and use the following parameters for this integration.
|SYSLOG||ServicePort||yes||int||port of the syslog server|
|SYSLOG||ServiceType||no||string||tcp, udp||tcp||protocol, tcp or udp (case insensitive)|
|SYSLOG||insecure||no||bool||true||Doesn’t verify TLS certificate|
|SYSLOG||MessageFormat||yes||string||RFC_3164, RFC_5424, RFC_5425||The syslog message format. RFC5425 is TLS only|
|SYSLOG||formatter||no||string||JSON, LEEF, CEF||JSON||The message content format|
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.