Document:Prisma Cloud Administrator’s Guide (Compute)

Syslog and stdout integration

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Cluster Context
- Deploy Prisma Cloud Defenders
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Agentless Scanning Modes
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Syslog and stdout integration

You can configure Prisma Cloud to send audit event records (audits) to syslog and/or stdout for Console and Defender based on whether you have Prisma Cloud Compute Edition or Prisma Cloud Enterprise Edition.

For the Prisma Cloud Enterprise Edition, we operate and monitor the Console for you. Therefore, the Console does not generate syslog events that you can reference.

The Defenders generate syslog messages that you can ingest for runtime and firewall events. In addition, you can configure Prisma Cloud to append a custom string to all Defender syslog messages.

Sending syslog messages to a network endpoint

Writing to /dev/log sends logs to the local host’s syslog daemon. The syslog daemon can then be optionally configured to forward those logs to a remote syslog or SIEM server. If you don’t have access to the underlying host, you can configure Prisma Cloud Console to send log messages directly to your remote system.

In most cases, you won’t need to specify a network endpoint in order to send syslog messages to your SIEM tool. If you already have log collectors on your hosts, simply enable syslog. Your log collectors will stream Prisma Cloud syslog messages to your SIEM tool.

Some things to keep in mind:

Console sends logs directly to your remote server. When configuring Console with the remote server, validate that the address you enter is actually reachable from the host where Console runs. Otherwise, you risk losing log messages.

Because Console sends messages directly to your remote server, and not through the local syslog daemon, you don’t get some of syslog’s built-in benefits, such as buffering, which protects against network outages and service failures.

The classic syslog implementation sends logs over UDP. This is considered a bad practice if your logs have any value. UDP is connectionless. Packets are sent to their destination without confirming that they were received. TCP’s stateful connections and retransmission capabilities make it more appropriate for shuttling logs to a SIEM.

Log into Console.

Go to Manage > Alerts > Logging
.

Set Syslog
to Enabled
.

In Send syslog messages over the network to
, click Edit
, and then specify a destination.

Appending custom strings to syslog messages

You can configure Prisma Cloud Compute to append a custom string to all Defender syslog messages.

Custom strings are set in the event message as a key-value pair, where the key is "id", and the value is your custom string. The following screenshot shows a Defender event, where the custom string is "koko".

Configuring a custom string is useful when you have multiple Prisma Cloud Compute deployments (i.e. multiple Compute Consoles) and you’re aggregating all messages in a single log management system. The custom string serves as a marker that lets you correlate specific events to specific deployments.

Open Console.

Go to Manage > Alerts > Logging
.

Set Syslog
to Enabled
.

For Identifier
, click Edit
, and enter a string.

Console events

Both Console and Defender emit messages. Console syslog messages are tagged as Twistlock-Console in the logs.

The data emitted to syslog and stdout is exactly the same.

Console syslog event types

The following table describes each message type and sub-type.

Syslog Type	Sub Type	Description
image_scan	—	This represents an image scan.
—	containerCompliance	This represents any Compliance findings within the image scan.
—	vulnerability	This represents any Vulnerability findings within the image scan.
container_scan	—	This represents a Container scan.
—	container	This represents any Compliance findings within the container scan.
vm_scan	—	This represents a VM scan.
—	containerCompliance	This represents any Compliance findings within the vm scan.
—	vulnerability	This represents any Vulnerability findings within the vm scan.
host_scan	—	This represents a Host scan.
—	containerCompliance	This represents any Compliance findings within the host scan.
—	vulnerability	This represents any Vulnerability findings within the host scan.

Document:Prisma Cloud Administrator’s Guide (Compute)

Syslog and stdout integration

Table of Contents

Syslog and stdout integration

Sending syslog messages to a network endpoint

Appending custom strings to syslog messages

Console events

Console syslog event types