Event Forwarding
Sysdig supports sending policy events to third-party SIEM (security information and event management) platforms and logging tools, such as Splunk, Elastic Stack, Qradar, Arcsight, LogDNA. You can use the Event Forwarding functionality in Sysdig Secure to forward events to a tool in your environment. By doing so you can view security events and correlate Sysdig findings with the tool that you are already using for event analysis.
Types of Event Forwarding
Splunk
Syslog
Integrating with Syslog
Syslog refers to System Logging protocol. It is a standard chiefly used by network devices to send events and logs in a particular format to a centralized system for storage and analysis. A Syslog event includes severity level, host IP, timestamps, diagnostics information and so on.
Sysdig Event Forwarding allows you to send policy events gathered by Sysdig Secure to a Syslog server.
Configure a Syslog Event Forwarding
To forward event data to a Syslog Server:
From the
Settingsmodule of the Sysdig Secure UI, navigate to theEvents Forwardingtab.Click the
Add Integrationbutton.Select
Syslogfrom the drop-down menu.Toggle the
Enabledswitch as necessary. By default, the new integration is enabled.Configure the required options:
Integration Name: Define an integration name.
Server Address: Specify the Syslog server where the events are forwarded to. Enter a domain name or IP address. If a domain name resolves to several IP addresses, the first resolved address is used.
Port: Specify the port number.
Specify the protocol:
UDP: The protocol used by the Syslog listener to receive the Syslog data. The default port is 514. However, the Syslog server can be configured to use any port.
TCP: Use TCP for security incidents as it's far more reliable than UDP in terms of handling network congestion and preventing packet loss. Use port 514 for TCP connections as well. TCP with port 514 is used to increase data transfer reliability. The default port is 6514 for RFC 5425 specifications.
Specify what type of data you want to send:
RFC 3164 is the older version of the protocol, while the current one is RFC 5424. RFC 5425 is an extension to RFC 5424 to use an encrypted channel. Choose the protocol depending on the server you are sending the logs to.
Click the
Savebutton to save the integration.
Integrating with Splunk
Prerequisites
Image scanning requests and Splunk event forwards both originate from 18.209.200.129. To enable Sysdig to handle Splunk event forwarding, your firewall will need to allow inbound requests from this IP address.
Configure a Splunk Event Forwarding
To forward event data to Splunk:
From the
Settingsmodule of the Sysdig Secure UI, navigate to theEvents Forwardingtab.Click the
Add Integrationbutton.Select
Splunkfrom the drop-down menu.Toggle the
Enabledswitch as necessary. By default, the new integration is enabled.Configure the required options:
Define an integration name.
Define the URL of the Splunk service. This is the HTTP Event Collector that forwards the events to a Splunk deployment. Ensure that you enter the Service URL along with the port. The format is
scheme://host:port.Define the Splunk service token. This is the token that Sysdig uses to authenticate the connection to the HTTP Event Collector.
Optional: Configure additional Splunk parameters (Index, Source, Source Type) as desired.
Index: The index where events are stored. Specify the Index if you have selected one while configuring the HTTP Event Collector.
Source: Sets the source key/field for events from source, that's Sysdig Monitor.
Source Type: Identifies the data structure of the event. For more information, see Source Type.
For more information on these parameters, refer to the Splunk documentation.
Select the data to send to Splunk. Currently, Sysdig only supports sending policy events.
Click the
Savebutton to save the integration.
 |
Here is an example of how policy events forwarded from Sysdig Secure is displayed on Splunk:
 |
Event Enrichment with Agent Labels
Default labels
The agent includes these labels by default when enabling event labels
event_labels:
include:
- process.name
- host.hostName
- agent.tag
- container.name
- kubernetes.cluster.name
- kubernetes.namespace.name
- kubernetes.deployment.name
- kubernetes.pod.name
- kubernetes.node.nameAdding Custom Labels
Event labeling has the ability to both include and exclude event labels.
event_labels:
exclude:
- custom.label.to.exclude
event_labels:
include:
- custom.label.to.includeExample of an enriched event being sent to splunk
{ [-]
baselineId: null
containerId: e4d32e56d9d2
description: A shell was used as the entrypoint/exec point into a container with an attached terminal.
eventLabels: [ [-]
{ [-]
key: kubernetes.node.name
value: ip-172-31-72-246
}
{ [-]
key: container.name
value: k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0
}
{ [-]
key: kubernetes.cluster.name
value: SysdigBackend
}
{ [-]
key: kubernetes.pod.name
value: sysdigcloud-elasticsearch-0
}
{ [-]
key: kubernetes.namespace.name
value: sysdigcloud
}
{ [-]
key: agent.tag.timezone
value: UTC
}
{ [-]
key: agent.tag.location
value: europe
}
{ [-]
key: process.name
value: bash
}
{ [-]
key: host.hostName
value: ip-172-31-72-246
}
]
falsePositive: false
fields: [ [+]
]
hostMac: 02:77:68:60:6b:ae
id: 702701271278202880
isAggregated: false
matchedOnDefault: false
name: Terminal shell in container
output: A shell was spawned in a container with an attached terminal (user=root k8s_elasticsearch_sysdigcloud-elasticsearch-0_sysdigcloud_c824e1f8-aa1f-11e9-aff4-027768606bae_0 (id=e4d32e56d9d2) shell=bash parent=docker-runc cmdline=bash terminal=34816)
policyId: 18
ruleSubtype: null
ruleType: RULE_TYPE_FALCO
severity: 5
timestamp: 1564065391633554
version: 1
}Delete an Event Forwarding Integration
To delete an existing integration:
From the
Settingsmodule of the Sysdig Secure UI, navigate to theEvents Forwardingtab.Click the
More Options(three dots) icon.Click the
Delete Integrationbutton.Click the
Yes, deletebutton to confirm the change.