1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Compute Edition Administrator’s Guide
    5. Audit
    6. Syslog and stdout integration
    End-of-Life (EoL)

    Syslog and stdout integration

    You can configure Prisma Cloud to send audit event records (audits) to syslog and/or stdout for Console and Defender based on whether you have Prisma Cloud Compute Edition or Prisma Cloud Enterprise Edition.
    With the Prisma Cloud Compute Edition, you can configure Prisma Cloud to send audit event records (audits) to syslog and/or stdout.
    Syslog integration must be turned on manually. Open Console, go to
    Manage > Alerts > Logging
    , then set
    Syslog
     to
    Enabled
    . Prisma Cloud connects to the syslog socket on /dev/log. Stdout integration can be enabled from the same tab.
    When you enable syslog or stdout integration, you can optionally enable verbose output. Verbose output records vulnerability and compliance issues in your environment. It also records all process activity.
    In general, enabling verbose output is not recommended because of the substantial overhead. You can retrieve this data much more efficiently from the Prisma Cloud API. Nevertheless, sometimes this capability is expressly required for integration with SIEM tools.
    Do not enable both syslog and stdout on hosts with systemd. With systemd, anything sent to stdout gets logged to syslog. With both syslog and stdout enabled, you would get duplicate messages in syslog.

    Sending syslog messages to a network endpoint

    Writing to /dev/log sends logs to the local host’s syslog daemon. The syslog daemon can then be optionally configured to forward those logs to a remote syslog or SIEM server. If you don’t have access to the underlying host, you can configure Prisma Cloud Console to send log messages directly to your remote system.
    In most cases, you won’t need to specify a network endpoint in order to send syslog messages to your SIEM tool. If you already have log collectors on your hosts, simply enable syslog. Your log collectors will stream Prisma Cloud syslog messages to your SIEM tool.
    Some things to keep in mind:
    • Console sends logs directly to your remote server. When configuring Console with the remote server, validate that the address you enter is actually reachable from the host where Console runs. Otherwise, you risk losing log messages.
    • Because Console sends messages directly to your remote server, and not through the local syslog daemon, you don’t get some of syslog’s built-in benefits, such as buffering, which protects against network outages and service failures.
    • The classic syslog implementation sends logs over UDP. This is considered a bad practice if your logs have any value. UDP is connectionless. Packets are sent to their destination without confirming that they were received. TCP’s stateful connections and retransmission capabilities make it more appropriate for shuttling logs to a SIEM.
    1. Log into Console.
    2. Go to
      Manage > Alerts > Logging
      .
    3. Set
      Syslog
       to
      Enabled
      .
    4. In
      Send syslog messages over the network to
      , click
      Edit
      , and then specify a destination.

    Appending custom strings to syslog messages

    You can configure Prisma Cloud Compute to append a custom string to all Console and Defender syslog messages.
    Custom strings are set in the event message as a key-value pair, where the key is "id", and the value is your custom string. The following screenshot shows a Defender event, where the custom string is "koko".
    Configuring a custom string is useful when you have multiple Prisma Cloud Compute deployments (i.e. multiple Compute Consoles) and you’re aggregating all messages in a single log management system. The custom string serves as a marker that lets you correlate specific events to specific deployments.
    1. Open Console.
    2. Go to
      Manage > Alerts > Logging
      .
    3. Set
      Syslog
       to
      Enabled
      .
    4. For
      Identifier
      , click
      Edit
      , and enter a string.

    Console events

    Both Console and Defender emit messages. Console syslog messages are tagged as Twistlock-Console in the logs.
    The data emitted to syslog and stdout is exactly the same.

    Console syslog event types

    The following table describes each message type and sub-type.
    Syslog Type
    Sub Type
    Description
    image_scan
     — 
    This represents an image scan.
     — 
    containerCompliance
    This represents any Compliance findings within the image scan.
     — 
    vulnerability
    This represents any Vulnerability findings within the image scan.
    container_scan
     — 
    This represents a Container scan.
     — 
    container
    This represents any Compliance findings within the container scan.
    vm_scan
     — 
    This represents a VM scan.
     — 
    containerCompliance
    This represents any Compliance findings within the vm scan.
     — 
    vulnerability
    This represents any Vulnerability findings within the vm scan.
    host_scan
     — 
    This represents a Host scan.
     — 
    containerCompliance
    This represents any Compliance findings within the host scan.
     — 
    vulnerability
    This represents any Vulnerability findings within the host scan.
    scan_summary
     — 
    This represents a scan summary. The type of summary is dependent upon subtype below.
     — 
    image
    This represents a summary of image Vulnerability and Compliance issues.
     — 
    container
    This represents a summary of container Vulnerability and Compliance issues.
     — 
    vm
    This represents a summary of vm Vulnerability and Compliance issues.
     — 
    host
    This represents a summary of host Vulnerability and Compliance issues.
     — 
    code_repository_scan
    This represents a summary of code repository Vulnerability and Compliance issues.
     — 
    registry_scan
    This represents a summary of registry Vulnerability and Compliance issues.
     — 
    cloud_scan
    This represents a summary of cloud accounts with Compute Compliance issues.
    management_audit
     — 
    This represents any management audit. This is broken out in the subtypes listed below.
     — 
    login
    This represents a login audit.
     — 
    profile
    This represents a profile state change audit.
     — 
    settings
    This represents a settings change audit.
     — 
    rule
    This represents a rule change audit.
     — 
    user
    This represents a user change audit.
     — 
    group
    This represents a group change audit.
     — 
    credential
    This represents a credential change audit.
     — 
    tag
    This represents a tag change audit.
    kubernetes_audit
     — 
    This represents a Kubernetes audit.
    admission_audit
     — 
    This represents an Admission Controller audit.
    serverless_runtime_audit
     — 
    This represents a Serverless runtime audit.
    serverless_app_firewall_audit
     — 
    This represents a Serverless WAAS audit.
    app_embedded_runtime_audit
     — 
    This represents an app embedded runtime audit.
    app_embedded_app_firewall_audit
     — 
    This represents an app embedded WAAS audit.
    defender_disconnected
     — 
    This represents when a Defender is disconnected.

    Image scan

    Records when Prisma Cloud scans an image.
    Example image scan message:
    Jul 30 18:51:32 aqsa-root Twistlock-Console[1]:
  time="2019-07-30T18:51:32.214136319Z"
  type="scan_summary"
  log_type="image"
  image_id="sha256:cd14cecfdb3a657ba7d05bea026e7ac8b9abafc6e5c66253ab327c7211fa6281"
  image_name="aqsa/internal:tag5"
  vulnerabilities="297"
  compliance="1"

    Container scan

    Records when Prisma Cloud scans a container.
    Example container scan message:
    Jul 30 22:06:15 aqsa-root Twistlock-Console[1]:
  time="2019-07-30T22:06:15.804842461Z"
  type="container_scan"
  log_type="container"
  container_id="d29ac3222f430ccf6a7d730db5cec3363d4c608680de881e26e13f9011e36d13"
  container_name="twistlock_console"
  image_name="twistlock/private:console_19_07_353"
  compliance="6"

    Host scan

    Records when Prisma Cloud scans a host. Defenders scan the hosts they run on.
    Example host scan:
    Jul 30 22:09:53 aqsa-root Twistlock-Console[1]:
  time="2019-07-30T22:09:53.390680962Z"
   type="scan_summary"
   log_type="host"
   hostname="aqsa-root.c.cto-sandbox.internal"
   vulnerabilities="89"
   compliance="17"

    Code repository scan

    Records when Prisma Cloud scans a code repository.
    Example scan:
    Jul  7 23:34:09 ip-172-31-55-106 Twistlock-Console[1]:
  time="2020-07-07T23:34:09.25109843Z"
  type="scan_summary"
  last_update_time="2020-07-07 23:21:00.203 +0000 UTC"
  log_type="code_repository_scan"
  source="github"
  repository_name="jerryso/apper"
  vulnerable_files="1"
  vulnerabilities="25"
  collections="All"

    Individual compliance issues

    Records a compliance finding. These messages are tagged with log_type="compliance", and are generated as a byproduct of container scans, image scans, host scans, and registry scans.
    Compliance issues are only recorded when
    Detailed output for vulnerabilities and compliance
     is enabled in
    Manage > Alerts > Logging
     (to see this option, syslog must be enabled).
    A syslog entry is generated for each compliance issue. This can result in a significant amount of data, which is why verbose output is disabled by default.
    You must have a rule that alerts on compliance issues for an entry to be written to syslog. It might just be the Default - alert all components rule, or another custom rule. This option does not simply log all compliance issues irrespective of the rules that are in place.
    Example image compliance issue:
    Jul 30 22:18