Sysdig Documentation

Event Forwarding

Sysdig supports sending policy events to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. You can use the Event Forwarding functionality in Sysdig Secure to forward events to a tool in your environment. By doing so you can view security events and correlate Sysdig findings with the tool that you are already using for event analysis.

Types of Event Forwarding

  • Splunk

  • Syslog

Integrating with Syslog

Syslog refers to System Logging protocol. It is a standard chiefly used by network devices to send events and logs in a particular format to a centralized system for storage and analysis. A Syslog event includes severity level, host IP, timestamps, diagnostics information and so on.

Sysdig Event Forwarding allows you to send policy events gathered by Sysdig Secure to a Syslog server.

Configure a Syslog Event Forwarding

To forward event data to a Syslog Server:

  1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

  2. Click the Add Integration button.

  3. Select Syslog from the drop-down menu.

  4. Toggle the Enabled switch as necessary. By default, the new integration is enabled.

  5. Configure the required options:

    384761891.png
    1. Integration Name: Define an integration name.

    2. Server Address: Specify the Syslog server where the events are forwarded to. Enter a domain name or IP address. If a domain name resolves to several IP addresses, the first resolved address is used.

    3. Port: Specify the port number.

    4. Specify the protocol:

      UDP: The protocol used by the Syslog listener to receive the Syslog data. The default port is 514. However, the Syslog server can be configured to use any port.

      TCP: Use TCP for security incidents as it's far more reliable than UDP in terms of handling network congestion and preventing packet loss. Use port 514 for TCP connections as well. TCP with port 514 is used to increase data transfer reliability. The default port is 6514 for RFC 5425 specifications.

    5. Specify what type of data you want to send:

      RFC 3164 is the older version of the protocol, while the current one is RFC 5424. RFC 5425 is an extension to RFC 5424 to use an encrypted channel. Choose the protocol depending on the server you are sending the logs to.

  6. Click the Save button to save the integration.

Integrating with Splunk

Configure a Splunk Event Forwarding

To forward event data to Splunk:

  1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

  2. Click the Add Integration button.

  3. Select Splunk from the drop-down menu.

  4. Toggle the Enabled switch as necessary. By default, the new integration is enabled.

  5. Configure the required options:

    384761903.png
    1. Define an integration name.

    2. Define the URL of the Splunk service. This is the HTTP Event Collector that forwards the events to a Splunk deployment. Ensure that you enter the Service URL along with the port. The format is scheme://host:port.

    3. Define the Splunk service token. This is the token that Sysdig uses to authenticate the connection to the HTTP Event Collector.

    4. Optional: Configure additional Splunk parameters (Index, Source, Source Type) as desired.

      Index: The index where events are stored. Specify the Index if you have selected one while configuring the HTTP Event Collector.

      Source: Sets the source key/field for events from source, that's Sysdig Monitor.

      Source Type: Identifies the data structure of the event. For more information, see Source Type.

      For more information on these parameters, refer to the Splunk documentation.

  6. Select the data to send to Splunk. Currently, Sysdig only supports sending policy events.

  7. Click the Save button to save the integration.

384761908.png

Here is an example of how policy events forwarded from Sysdig Secure is displayed on Splunk:

384761885.png

Event Enrichment with Agent Labels

Default labels

The agent includes these labels by default when enabling event labels

event_labels:
  include:
    - process.name
    - host.hostName
    - agent.tag
    - container.name
    - kubernetes.cluster.name
    - kubernetes.namespace.name
    - kubernetes.deployment.name
    - kubernetes.pod.name
    - kubernetes.node.name

Adding Custom Labels

Event labeling has the ability to both include and exclude event labels.

event_labels:
  exclude:
    - custom.label.to.exclude

event_labels:
  include:
    - custom.label.to.include

Example of an enriched event being sent to splunk

{ [-] 
baselineId: null 
containerId: e4d32e56d9d2 
description: A shell was used as the entrypoint/exec point into a container with an attached terminal. 
eventLabels: [ [-] 
{ [-] 
key: kubernetes.node.name 
value: ip-172-31-72-246 
} 
{ [-] 
key: container.name 
value: k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 
} 
{ [-] 
key: kubernetes.cluster.name 
value: SysdigBackend 
} 
{ [-] 
key: kubernetes.pod.name 
value: sysdigcloud-elasticsearch-0 
} 
{ [-] 
key: kubernetes.namespace.name 
value: sysdigcloud 
} 
{ [-] 
key: agent.tag.timezone 
value: UTC 
} 
{ [-] 
key: agent.tag.location 
value: europe 
} 
{ [-] 
key: process.name 
value: bash 
} 
{ [-] 
key: host.hostName 
value: ip-172-31-72-246 
} 
] 
falsePositive: false 
fields: [ [+] 
] 
hostMac: 02:77:68:60:6b:ae 
id: 702701271278202880 
isAggregated: false 
matchedOnDefault: false 
name: Terminal shell in container 
output: A shell was spawned in a container with an attached terminal (user=root k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 (id=e4d32e56d9d2) shell=bash parent=docker-runc cmdline=bash terminal=34816) 
policyId: 18 
ruleSubtype: null 
ruleType: RULE_TYPE_FALCO 
severity: 5 
timestamp: 1564065391633554 
version: 1 
}

Delete an Event Forwarding Integration

To delete an existing integration:

  1. From the Settings module of the Sysdig Secure UI, navigate to the Events Forwarding tab.

  2. Click the More Options (three dots) icon.

  3. Click the Delete Integration button.

  4. Click the Yes, delete button to confirm the change.