End-of-Life (EoL)

Send the Audit Trail to an External Log Service

audit log
Organizations that are required to implement centralized logging for compliance and monitor requirements will benefit from the syslog export.
To send the Cortex XSOAR audit trail to an external log service, you create several custom server configurations.
  1. Select
    Settings
    About
    Troubleshooting
    Add Server Configuration
    .
  2. Add the following required keys and values:
    Key
    Value
    Required
    syslog.enabled
    true
    Required
    syslog.protocol
    tcp
    udp
    tcp+tls
    unix
    Default:
    unix
    (for localhost syslogging)
    Required
    syslog.host
    <syslog server>
    Required. This key is not required for UNIX protocol.
    syslog.port
    <destination port>
    Required. This key is not required for UNIX protocol.
    syslog.tag
    <syslog tag>
    Default is Demisto.
    Optional
    syslog.format
    RFC3164
    RFC5424
    Default is empty, which uses a custom format that is a combination of both formats.
    Optional
    syslog.filter
    <object/action>
    Optional
    syslog.priority
    Default is a number for LOG_INFO with LOG_DAEMON. If you want to change the default, contact Demisto Support
    Optional
Filter Example
In this example, we want to match audit trail entries of
login success
and
login failure
. To accomplish this, we set the
syslog.filter
parameter to
login/.*
.
Sample Syslog
CEF:0|Demisto|Demisto Enterprise|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|failure|3|suser=john startTime=1521835930684963 cs1=john cs1Label=identifier cs2=Cookie: [hsfirstvisit\=http%3A%2F%2Flocalhost%3A7070%2F||1464113050169; _ga\=GA1.1.296351272.1461620234; __hstc\=181257784.72e717e61ded2087506747f5da786796.1464113050173.1464122836548.1469409642245.3; __hssrc\=1; hubspotutk\=72e717e61ded2087506747f5da786796; local-theme\=light; XSRF-TOKEN\=AgF4Peo0Gqa8zlIB31fLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nReferer: [http://localhost:8080/]\n\nAccept: [application/json]\n\nX-Xsrf-Token: [AgF4Peo0Gqa8zlIBk1GLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nContent-Length: [142]\n\nAccept-Language: [en-US,en;q\=0.9,he;q\=0.8,ms;q\=0.7]\n\nContent-Type: [application/json]\n\nhost/ip: [::1]:62296\nConnection: [keep-alive]\n\nUser-Agent: [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36]\n\nApi_truncate_results: [true]\n\nOrigin: [http://localhost:8080]\n\nAccept-Encoding: [gzip, deflate, br]\n\nerror: Invalid credentials:Invalid username or password\nDnt: [1]\n cs2Label=details CEF:0|Demisto|Demisto Enterprise|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|in|3|suser=john startTime=1521835934123052 cs1=john cs1Label=identifier cs2=host/ip: [::1]:62296\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 cs2Label=details client: 127.0.0.1:57284 message: CEF:0|Demisto|Demisto Enterprise|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|out|3|suser=john startTime=1521835927224046 cs1=john cs1Label=identifier cs2=N/A cs2Label=details

Recommended For You