Syslog and stdout integration
You can configure Prisma Cloud to send audit event records (audits) to syslog and/or stdout for Console and Defender based on whether you have Prisma Cloud Compute Edition or Prisma Cloud Enterprise Edition.
For the Prisma Cloud Enterprise Edition, we operate and monitor the Console for you. Therefore, the Console does not generate syslog events that you can reference.
The Defenders generate syslog messages that you can ingest for runtime and firewall events. In addition, you can configure Prisma Cloud to append a custom string to all Defender syslog messages.
Sending syslog messages to a network endpoint
Writing to /dev/log sends logs to the local host’s syslog daemon. The syslog daemon can then be optionally configured to forward those logs to a remote syslog or SIEM server. If you don’t have access to the underlying host, you can configure Prisma Cloud Console to send log messages directly to your remote system.
In most cases, you won’t need to specify a network endpoint in order to send syslog messages to your SIEM tool. If you already have log collectors on your hosts, simply enable syslog. Your log collectors will stream Prisma Cloud syslog messages to your SIEM tool.
Some things to keep in mind:
- Console sends logs directly to your remote server. When configuring Console with the remote server, validate that the address you enter is actually reachable from the host where Console runs. Otherwise, you risk losing log messages.
- Because Console sends messages directly to your remote server, and not through the local syslog daemon, you don’t get some of syslog’s built-in benefits, such as buffering, which protects against network outages and service failures.
- The classic syslog implementation sends logs over UDP. This is considered a bad practice if your logs have any value. UDP is connectionless. Packets are sent to their destination without confirming that they were received. TCP’s stateful connections and retransmission capabilities make it more appropriate for shuttling logs to a SIEM.
- Log into Console.
- Go toManage > Alerts > Logging.
- InSend syslog messages over the network to, clickEdit, and then specify a destination.
Appending custom strings to syslog messages
You can configure Prisma Cloud Compute to append a custom string to all Defender syslog messages.
Custom strings are set in the event message as a key-value pair, where the key is "id", and the value is your custom string. The following screenshot shows a Defender event, where the custom string is "koko".
Configuring a custom string is useful when you have multiple Prisma Cloud Compute deployments (i.e. multiple Compute Consoles) and you’re aggregating all messages in a single log management system. The custom string serves as a marker that lets you correlate specific events to specific deployments.
- Open Console.
- Go toManage > Alerts > Logging.
- ForIdentifier, clickEdit, and enter a string.
Both Console and Defender emit messages. Console syslog messages are tagged as Twistlock-Console in the logs.
The data emitted to syslog and stdout is exactly the same.
Console syslog event types
The following table describes each message type and sub-type.
This represents an image scan.
This represents any Compliance findings within the image scan.
This represents any Vulnerability findings within the image scan.
This represents a Container scan.
This represents any Compliance findings within the container scan.
This represents a VM scan.
This represents any Compliance findings within the vm scan.
This represents any Vulnerability findings within the vm scan.
This represents a Host scan.
This represents any Compliance findings within the host scan.
This represents any Vulnerability findings within the host scan.