System Logging Protocol (Syslog) has been used for decades to send system logs or event messages to a specific server. A syslog allows the separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. And for these reasons, a syslog ensures that critical events are logged and are stored off the original server. An attacker’s first effort after compromising a system is usually to cover their tracks left in the logs. But logs forwarded via Syslog are out of reach and they are crucial to the safety of systems.
Configuring Syslog Format
1. In the Admin Portal, under Log Configuration (Configuration > Log), there is a field for syslog formatting, as shown in the screenshot below:
2. In the red bordered area noted above in the screenshot, copy/paste this code for CEF log formatting:
CEF:0|safous|appgw|{{version}}|{{event_id}}|{{event_name}}|{{event_severity}}|dst={{remote_address}} safouskind={{kind}} start={{timestamp}} act={{action}} safousresult={{result}} safoussubjectid={{subject_id}} safoussubjectname={{subject_name}} safoussubjectkind={{subject_kind}} safousauthkind={{authority_kind}} safousauthid={{authority_id}} safousauthname={{authority_name}} safousobjkind={{object_kind}} safousobjid={{object_id}} safousobjname={{object_name}} safoussessionid={{session_id}} msg={{message}} safousdstid={{node_id}} safousuagent={{client}} safouscountrycode={{country_code}} safoustransid={{transaction_id}}"safouscredentialsorigin={{credentials_origin}} safouscredentialsid={{credentials_id}} safouscredentialsname={{credentials_name}}
3. Please click on the article here for the Event_ID table.