Syslog
Syslog connections to the CipherTrust Manager can be configured using the following:
Note
CipherTrust Manager can have a total of 64 log forwarder connections. Each Elasticsearch, Loki, and Syslog connection is counted towards the 64 connection total.
Managing Syslog Connections using GUI
- Host: IP address or hostname of the Syslog server. 
- Port: port number for connecting to the Syslog server. 
- Transport Format: select the transport mode for sending data. The TLS mode requires a trusted CA certificate in the PEM format. - Note - If you set the transport format to UDP, log messages are limited to a size of 1024 bytes. After this size, the log message is truncated. 
- CA Cert: either upload the CA certificate or paste the certificate content. Make sure the server certificate contains the valid IP SANs. - Upload CSR: select and click Upload CSR to upload the trusted CA certificate from your machine. 
- Text: select and paste the certificate content in the text field. 
 
- Message Format: select the log message format. 
Click Test Credentials to check whether the connection is configured correctly. If the test is successful, the status is OK else the status is Fail.
Click Next to move to the Add Products screen of the Add Connection wizard.
Managing Syslog Connections using ksctl
The following operations can be performed:
- Create/Get/Update/Delete a Syslog connection 
- List all Syslog connections 
- Test an existing Syslog connection 
- Test the new Syslog connection parameters before establishing the connection 
Note
The host, port, and transport are the mandatory parameters for Syslog connections. The supported transport modes for sending data are tls, tcp, and udp. The tls mode requires a trusted CA certificate in the PEM format.
Note
In a multi-node clustered environment, the Syslog connections configuration is synchronized. Each node is aware of all the Syslog servers and Syslog messages are sent from the currently active node. This implies, that if an event that results in an audit record is performed on node 1, the Syslog message will originate from node 1. Similarly, if an audit event is conducted on node 2, the Syslog message will originate from node 2.
Log Message Formats
The supported message formats for Syslog are:
- rfc5424 (default) 
- rfc3164 
- cef 
- leef 
Examples
rfc5424 (plaintext)
2022-06-29T04:54:42.868478Z - CipherTrust_Manager_k170v citrus Server_Audit - ...{"principal":{"acct":"kylo:kylo:admin:accounts:kylo","sub":"local|d7c6473a-286d-4e10-9455-3f078743d4a5","acc":"kylo","iss":"kylo"},"requestId":"c6ce87a7-1775-4d4e-92ad-67e031b620f9","success":true,"username":"admin","details":{"category":"cloud","identifier":"Syslog Connection","name":"Syslog Connection","port":555,"service":"syslog"},"account":"kylo:kylo:admin:accounts:kylo","id":"d0a8f585-35b3-4414-99c1-c21db5d244d1","domain_id":"00000000-0000-0000-0000-000000000000","message":"Update connection","severity":"info","service":"citrus"}
rfc3164
Jun 29 04:58:56 CipherTrust_Manager_k170v[citrus]: {"requestId":"bceb9c29-fda7-4cd5-ae9c-6521b4913a09","success":true,"username":"admin","details":{"identifier":"Syslog Connection","name":"Syslog Connection","port":555,"service":"syslog","category":"cloud"},"severity":"info","id":"27dc8135-24be-4ee7-8b26-157f53bd6264","account":"kylo:kylo:admin:accounts:kylo","domain_id":"00000000-0000-0000-0000-000000000000","service":"citrus","message":"Update connection","principal":{"acc":"kylo","iss":"kylo","acct":"kylo:kylo:admin:accounts:kylo","sub":"local|d7c6473a-286d-4e10-9455-3f078743d4a5"}}
cef
Jun 29 05:01:43 CEF:0|Thales Group|CipherTrust_Manager_k170v|2.9.0-beta7+7422|Server_Audit|Update connection|1|log={"requestId":"b280abc6-4e88-46e4-9550-09409978a2e1","success":true,"username":"admin","details":{"identifier":"Syslog Connection","name":"Syslog Connection","port":4444,"service":"syslog","category":"cloud"},"account":"kylo:kylo:admin:accounts:kylo","id":"b575dba4-0fc4-4ce9-8d04-215b29f9efea","domain_id":"00000000-0000-0000-0000-000000000000","severity":"info","service":"citrus","message":"Update connection","principal":{"acc":"kylo","sub":"local|d7c6473a-286d-4e10-9455-3f078743d4a5","acct":"kylo:kylo:admin:accounts:kylo","iss":"kylo"}}
leef
Jun 29 05:03:47 LEEF:2.0|Thales Group|CipherTrust_Manager_k170v|2.9.0-beta7+7422|Server_Audit|^|log={"account":"kylo:kylo:admin:accounts:kylo","id":"2ebf0f96-396c-4626-9f48-f425d21f358d","service":"citrus","principal":{"sub":"local|d7c6473a-286d-4e10-9455-3f078743d4a5","acc":"kylo","iss":"kylo","acct":"kylo:kylo:admin:accounts:kylo"},"domain_id":"00000000-0000-0000-0000-000000000000","requestId":"2a7c2428-ee7c-4864-a93f-820b303c958c","severity":"info","success":true,"message":"Update connection","username":"admin","details":{"category":"cloud","identifier":"Syslog Connection","name":"Syslog
Creating a Syslog Connection
To create a Syslog connection, run:
Syntax
ksctl connectionmgmt log-forwarder syslog create --name <connection-name> --products <products-name> --description <description> --host <host> --port <port> --transport <transport-protocol> --ca-cert <ca-cert> --message-format <message-format> --meta <Key:Value>
The supported transport mode for sending data are tls, tcp, and udp. The tls mode requires a trusted CA certificate in the PEM format. In udp mode, log messages are limited to a size of 1024 bytes. After this size, the log message is truncated.
Example Request
ksctl connectionmgmt log-forwarder syslog create --name syslog-conn-1 --description conn-description --host 127.0.0.1 --port 1234 --transport tcp --message-format efc5425
Example Response
{
    "id": "2ecc1922-57e2-416d-9023-95720419fa25",
    "uri": "kylo:kylo:connectionmgmt:connections:syslog-conn-1-2ecc1922-57e2-416d-9023-95720419fa25",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-05-05T04:53:58.893569708Z",
    "updatedAt": "2022-05-05T04:53:58.890021892Z",
    "service": "syslog",
    "category": "log-forwarders",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "syslog-conn-1",
    "description": "conn-description",
    "host": "127.0.0.1",
    "port": 1234,
    "syslog_params": {
        "transport": "tcp",
        "message_format": "rfc5424"
    }
}
Getting Details of a Syslog Connection
To get details of a Syslog connection, run:
Syntax
ksctl connectionmgmt log-forwarder syslog get --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt log-forwarder syslog get –id 2ecc1922-57e2-416d-9023-95720419fa25
Example Response
{
    "id": "2ecc1922-57e2-416d-9023-95720419fa25",
    "uri": "kylo:kylo:connectionmgmt:connections:syslog-conn-1-2ecc1922-57e2-416d-9023-95720419fa25",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-05-05T04:53:58.893569708Z",
    "updatedAt": "2022-05-05T04:53:58.890021892Z",
    "service": "syslog",
    "category": "log-forwarders",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "syslog-conn-1",
    "description": "conn-description",
    "host": "127.0.0.1",
    "port": 1234,
    "syslog_params": {
        "transport": "tcp",
        "message_format": "rfc5424"
    }
}
Updating a Syslog Connection
To update a Syslog connection, run:
Syntax
ksctl connectionmgmt log-forwarder syslog modify –id <Connection-Name/ID> --products <products-name> --description <description> --host <host> --port <port> --transport <transport-protocol --ca-cert <ca-cert> --message-format <message-format> --meta <Key:Value>
The supported transport mode for sending data are tls, tcp, and udp. The tls mode requires a trusted CA certificate in the PEM format.
Example Request
ksctl connectionmgmt log-forwarder syslog modify --id 9d3af367-d4a3-4838-8663-ce07d3e88353 --host 127.0.0.1
Example Response
{
    "id": "2ecc1922-57e2-416d-9023-95720419fa25",
    "uri": "kylo:kylo:connectionmgmt:connections:syslog-conn-1-2ecc1922-57e2-416d-9023-95720419fa25",
    "account": "kylo:kylo:admin:accounts:kylo",
    "createdAt": "2022-05-05T04:53:58.893569708Z",
    "updatedAt": "2022-05-05T04:53:58.890021892Z",
    "service": "syslog",
    "category": "log-forwarders",
    "last_connection_ok": null,
    "last_connection_at": "0001-01-01T00:00:00Z",
    "name": "syslog-conn-1",
    "description": "conn-description",
    "host": "127.0.0.1",
    "port": 1234,
    "syslog_params": {
        "transport": "tcp",
        "message_format": "rfc5424"
    }
}
Deleting a Syslog Connection
To delete a Syslog connection, run:
Syntax
ksctl connectionmgmt log-forwarder syslog delete --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt log-forwarder syslog delete --id 9d3af367-d4a3-4838-8663-ce07d3e88353
Example Response
There will be no response if the Syslog connection is deleted successfully.
Getting List of Syslog Connections
To list all the Syslog connections, run:
Syntax
ksctl connectionmgmt log-forwarder syslog list
Example Request
ksctl connectionmgmt log-forwarder syslog list
Example Response
{
    "skip": 0,
    "limit": 10,
    "total": 1,
    "resources": [
        {   "id": "2ecc1922-57e2-416d-9023-95720419fa25",
            "uri": "kylo:kylo:connectionmgmt:connections:syslog-conn-1-2ecc1922-57e2-416d-9023-95720419fa25",
            "account": "kylo:kylo:admin:accounts:kylo",
            "createdAt": "2022-05-05T04:53:58.893569708Z",
            "updatedAt": "2022-05-05T04:53:58.890021892Z",
            "service": "syslog",
            "category": "log-forwarders",
            "last_connection_ok": null,
            "last_connection_at": "0001-01-01T00:00:00Z",
            "name": "syslog-conn-1",
            "description": "conn-description",
            "host": "127.0.0.1",
            "port": 1234,
            "syslog_params": {
                "transport": "tcp",
                "message_format": "rfc5424"
            }
        }
    ]
}
Testing an Existing Syslog Connection
To test an existing Syslog connection, run:
Syntax
ksctl connectionmgmt log-forwarder syslog test --id <Connection-Name/ID>
Example Request
ksctl connectionmgmt log-forwarder syslog test --id 9d3af367-d4a3-4838-8663-ce07d3e88353
Example Response
{
    "connection_ok": true
}
Testing a New Syslog Connection
To test the parameters of a New Syslog connection, run:
Syntax
ksctl connectionmgmt log-forwarder syslog test --host <host> --port <port> --transport <transport-protocol> --ca-cert <ca-cert>
Example Request
ksctl connectionmgmt log-forwarder syslog test --host 127.0.0.1 --port 1234 --transport tcp
Example Response
{
    "connection_ok": true
}