Enable Syslog Forwarding

You can enable syslog forwarding under
Enforcer Profile
. Optionally, you can configure the header format used in the syslog messages and enable client authentication for syslog over TLS.
If you enable syslog forwarding without defining a syslog server endpoint, enforcers write events to the host subsystem. This can be useful if you already have a syslog collector in your host, but it only works for Linux based systems and on environments where your enforcers have permissions to write to the platform’s disk. Many managed platforms don’t allow your enforcers to write to the platform’s disk which will cause an error.
You must configure the following log fields:
  1. Enter the
    Syslog Endpoint
    IP address or fully qualified domain name (FQDN) of the syslog server and the port number where the syslog messages are sent.
  2. Select a syslog standard value for
    Facility
    .
    The default value is 1 or LOG_USER to calculate the priority (PRI) field in your syslog server implementation.
  3. Select the syslog
    Format
    used for messages: AUTO, BSD or IETF.
    Traditionally, BSD format is used over UDP and IETF format is used over TCP or SSL/TLS connections.

Configure Syslog Forwarding for UDP Connections

The following procedure adds a
Syslog Collector
listening on UDP connections, over port 514, which is the default syslog port.
  1. Provide the endpoint address in the following format: <protocol://<fqdn or ip>:<port>

Configure Syslog Forwarding for TCP Connections

The following procedure adds a
Syslog Collector
listening on TCP connections over port 50514.
  1. Provide the endpoint address in the following format: <protocol://<fqdn or ip>:<port>

Configure Syslog Forwarding for TLS Connections

The following example adds a
Syslog Collector
listening on TLS connections over port 50140. In addition to providing the endpoint details, TLS connections require that you upload the client and server certificates. Follow these steps configure syslog forwarding and to upload the certificates to the Prisma Cloud Console.
  1. Provide the endpoint address in the following format: <protocol://<fqdn or ip>:<port>
  2. Go to
    Manage → Credentials > Certificate Management
  3. Add the Public and Private key certificates of the host where you installed the Enforcer. This host is the syslog TLS client.
    This step enables Prisma Cloud to store the certificate that the Enforcers use securely and establish the TLS connection.
  4. Go to
    Agent > Enforcer Profile
    .
  5. Add the syslog client and server public certificates using the .pem file format.

Display the Syslog Configuration

To see the syslog configuration defined and mapped against the enforcer in a namespace, expand the
Enforcer Profile
.
Different enforcers can use different profiles, and you can use this flexibility to define different syslog endpoints according to your needs.

Enable Syslog Forwarding with apoctl

You can configure syslog easily through your automation pipeline using apoctl.
The following commands are useful examples.
  • Configure a UDP syslog server endpoint.
    apoctl api update enforcerprofile 61dfcc367e57760001d6c609 -k syslogEnabled=true -k syslogEndpoint="udp://10.128.0.25:50514" -k syslogFormat=BSD
  • Configure a TCP syslog server endpoint:
    apoctl api update enforcerprofile 61dfcc367e57760001d6c609 -k syslogEnabled=true -k syslogEndpoint="tcp://10.128.0.25:50514" -k syslogFormat=IETF
  • Configure a TLS syslog server endpoint:
    1. Create a service certificate.
      apoctl api update servicecertificate 61d61b1e3186970001065ec8 \ --api https://api.staging.network.prismacloud.io \ --namespace /796475962542846976/vivek-test/aporeto \ --data '{ "name": "syslog-servicecert", "public": "<public certificate content>", "private": "<private certificate content>" }'
    2. Configure the enforcer profile:
      apoctl api update enforcerprofile 61dfcc367e57760001d6c609 \ --api https://api.staging.network.prismacloud.io \ --namespace /796475962542846976/vivek-test/aporeto \ --data '{ "syslogEndpointTLSClientCertificate": "<certificate content>", "syslogEndpointTLSServerCA": "<certificate content>", "syslogEndpoint": "tls://10.128.0.25:50514", "syslogFacility": null, "syslogFormat": "IETF" }'

Recommended For You