Send the Audit Trail to an External Log Service

Send the Cortex XSOAR audit trail to an external log service by adding custom server configurations. audit log
Organizations that are required to implement centralized logging for compliance and monitor requirements benefit from the syslog export.
To send the Cortex XSOAR audit trail to an external log service, you create several custom server configurations.
  1. Select
    Settings
    About
    Troubleshooting
    Add Server Configuration
    .
  2. Add the following required keys and values:
    Key
    Value
    Required
    syslog.enabled
    true
    Required
    syslog.protocol
    tcp
    udp
    tcp+tls
    unix
    Default:
    unix
    (for localhost syslogging)
    Required
    syslog.host
    <syslog server>
    Required. This key is not required for UNIX protocol.
    syslog.port
    <destination port>
    Required. This key is not required for UNIX protocol.
    syslog.tag
    <syslog tag>
    Default is Demisto.
    Optional
    syslog.format
    RFC3164
    RFC5424
    Default is empty, which uses a custom format that is a combination of both formats.
    Optional
    syslog.filter
    <object/action>
    Optional
    syslog.priority
    Default is a number for LOG_INFO with LOG_DAEMON. If you want to change the default, contact Cortex XSOAR Customer Support.
    Optional
  3. (
    Optional
    ) To modify the facility level of syslogs, in the
    syslog.priority
    parameter, add the facility and severity levels and the resulting number in the following format:
    <severity level>
    |
    <facility level>
    =
    <resulting number>
    .
    For example, to view
    informational
    messages for log level
    local7
    add the
    6|184=190
    value.
    Where as
    6 = severity level (
    informational
    )
    184 = facility level (
    local7
    ), calculated by 23*8
    190 = total of the severity and facility levels
    For information about the syslog facility and severity levels, see What are Syslog Facilities and Levels
Filter Example
In this example, we want to match audit trail entries of
login success
and
login failure
. To accomplish this, we set the
syslog.filter
parameter to
login/.*
.
Sample Syslog
CEF:0|Demisto|Demisto Enterprise|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|failure|3|suser=john startTime=1521835930684963 cs1=john cs1Label=identifier cs2=Cookie: [hsfirstvisit\=http%3A%2F%2Flocalhost%3A7070%2F||1464113050169; _ga\=GA1.1.296351272.1461620234; __hstc\=181257784.72e717e61ded2087506747f5da786796.1464113050173.1464122836548.1469409642245.3; __hssrc\=1; hubspotutk\=72e717e61ded2087506747f5da786796; local-theme\=light; XSRF-TOKEN\=AgF4Peo0Gqa8zlIB31fLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nReferer: [http://localhost:8080/]\n\nAccept: [application/json]\n\nX-Xsrf-Token: [AgF4Peo0Gqa8zlIBk1GLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nContent-Length: [142]\n\nAccept-Language: [en-US,en;q\=0.9,he;q\=0.8,ms;q\=0.7]\n\nContent-Type: [application/json]\n\nhost/ip: [::1]:62296\nConnection: [keep-alive]\n\nUser-Agent: [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36]\n\nApi_truncate_results: [true]\n\nOrigin: [http://localhost:8080]\n\nAccept-Encoding: [gzip, deflate, br]\n\nerror: Invalid credentials:Invalid username or password\nDnt: [1]\n cs2Label=details CEF:0|Demisto|Demisto Enterprise|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|in|3|suser=john startTime=1521835934123052 cs1=john cs1Label=identifier cs2=host/ip: [::1]:62296\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 cs2Label=details client: 127.0.0.1:57284 message: CEF:0|Demisto|Demisto Enterprise|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|out|3|suser=john startTime=1521835927224046 cs1=john cs1Label=identifier cs2=N/A cs2Label=details

Recommended For You