configuration – SGBox Next Generation SIEM & SOAR

Syslog configuration on ESET

SGBox — Mon, 24 Feb 2025 09:12:05 +0000

Syslog configuration on ESET

Following the steps to send logs from ESET (on-premise and Cloud) console to SGBox.

Syslog server Configuration On Premise

Syslog server Configuration On Cloud

Syslog server Configuration On Premise

Syslog server Configuration On Cloud

For more information visit these links:

Syslog configuration on Cortex

SGBox — Fri, 21 Feb 2025 15:11:36 +0000

Syslog configuration on Cortex XDR

Select Settings → Configurations → Integrations → External Applications.
In Syslog Servers, click + New Server.
Define the following parameters:
- Name: for the server profile
- Destination: IP address or fully qualified domain name (FQDN) of SGBox.
- port: number on which to send syslog messages.
- facility: Select one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424
- Protocol: method of communication with the syslog receiver.
  - TCP: No validation is made on the connection with the syslog receiver. However, if an error occurred with the domain used to make the connection, the Test connection will fail.
  - UDP: No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.
  - TCP + SSL: Cortex XDR validates the syslog receiver certificate and uses the certificate signature and public key to encrypt the data sent over the connection.
- Certificate: The communication between Cortex XDR and the syslog destination can use TLS. In this case, upon connection, Cortex XDR validates that the syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate. If your syslog receiver uses a self-signed CA, upload your self-signed syslog receiver CA. If you only use a trusted root CA leave the certificate field empty.
  - Note: Up to TLS 1.3 is supported. – Make sure the self-signed CA includes your public key.
  - You can ignore certificate errors. For security reasons, this is not recommended. If you choose this option, logs will be forwarded even if the certificate contains errors.
Test the parameters to ensure a valid connection, and click Create when ready

Syslog configuration on Cisco WLC

SGBox — Thu, 20 Feb 2025 09:18:20 +0000

Syslog configuration on WLC ( GUI )

Go to Management > Logs > Config. The Syslog Configuration (GUI) age appears:
Enter the Syslog Server IP Address and click Add. You can add up to three syslog servers to the controller. The list of syslog servers that have already been added to the controller appears under this text box. If you want to remove a syslog server from the controller, click Remove to the right of the desired server.
To set the Syslog Level (severity) for filtering syslog messages to the syslog servers, choose one of the next options from the Syslog Level drop-down list:
- Emergencies= Severity level 0
- Alerts= Severity level 1 (default value)
- Critical= Severity level 2
- Errors= Severity level 3
- Warnings= Severity level 4
- Notifications= Severity level 5
- Informational= Severity level 6
- Debugging= Severity level 7
  - NOTE: If you set a syslog level, only those messages whose severity is equal to or less than that level are sent to the syslog servers. For example, if you set the syslog level to Notifications (severity level 5), only those messages whose severity is betwen 0 and 5 are sent to the syslog servers.
  - NOTE: If you have enabled logging of Debugging messages to the logging buffer, some messages from application debug could be listed in message log with severity that is more than the level set. For example, if you execute the debug client mac-addr command, the client event log could be listed in message log even though the message severity level is set to Errors.
To set the Syslog Facility for outgoing syslog messages to the syslog servers, choose one of these options from the Syslog Facility drop-down list:
- Kernel= Facility level 0
- User Process= Facility level 1
- Mail= Facility level 2
- System Daemons= Facility level 3
- Authorization= Facility level 4
- Syslog = Facility level 5 (default value)
- Line Printer= Facility level 6
- USENET= Facility level 7
- Unix-to-Unix Copy= Facility level 8
- Cron= Facility level 9
- FTP Daemon= Facility level 11
- System Use 1= Facility level 12
- System Use 2= Facility level 13
- System Use 3= Facility level 14
- System Use 4= Facility level 15
- Local Use 0= Facility level 16
- Local Use 2= Facility level 17
- Local Use 3= Facility level 18
- Local Use 4= Facility level 19
- Local Use 5= Facility level 20
- Local Use 5= Facility level 21
- Local Use 5= Facility level 22
- Local Use 5 = Facility level 23
  - NOTE: For example, selecting Kernel makes only kernel related messages to be sent. Authorization, makes only AAA related messages to be sent, and so on.
Click Apply.

Configuring Syslog on WLC ( CLI )

Enable system logging and set the IP address of the syslog server to which to send the syslog messages by entering this command:
- (Cisco Controller) >config logging syslog host server_IP_address
To remove a syslog server from the controller by entering this command:
- (Cisco Controller) >config logging syslog host server_IP_address delete
Set the severity level for filtering syslog messages to the syslog server by entering this command:
- (Cisco Controller) >config logging syslog level severity_level

Syslog configuration on Ubiquiti

SGBox — Tue, 11 Feb 2025 15:28:20 +0000

Syslog configuration on Ubiquiti

These instructions assume:

The date, time and time zone are correctly set on the device.
You have administration access to the UniFi controller web interface.

Configure syslog:

Log in to the UniFi Controller’s web interface.
Click Settings (the gear icon) in the bottom left corner.
Under the Site heading, navigate to the Remote Logging section.
Select the checkbox beside Enable remote syslog server. Leave the Enable debug logging box unchecked.
Enter the SGBox IP address.
Enter 514 in the Port field.

Click Apply changes.

For more information visit

Syslog configuration on Sentinel

SGBox — Fri, 07 Feb 2025 14:49:56 +0000

Configure Sentinel to send logs to SGBox

Open the SentinelOne Admin Console. Configure SentinelOne to send logs to your Syslog server.

Select your site.
In the left side menu, click the slider icon [⊶] to open the Settings menu.
Open the INTEGRATIONS tab, and fill in the details: ( 3.1 ): Under Types, select SYSLOG ( 3.2 ): Toggle the button to enable SYSLOG: ( 3.3 ): Host – Enter your public SYSLOG server IP address and port. ( 3.4 ): Formatting – Select CEF. ( 3.5 ): Save your changes.

If TLS is selected you will need to upload certificates.

Syslog configuration on ForcePoint

SGBox — Fri, 07 Feb 2025 09:21:07 +0000

ForcePoint

To send logs to SGBox:

Toggle the Enable SIEM logging switch to ON.

Enter the IP address or hostname and communication Port for your SGbox server.
Select a Transport protocol (TCP or UDP).
Configure which logs to send by selecting one or more Threat levels. By default, malicious and suspicious incident logs are forwarded.
Select an SIEM format to use (the default is syslog/CEF).
Click Apply to save your changes.

For further information visit this link: https://www.websense.com/content/support/library/riskvision/v21/system_mgmt/system_logging.aspx

syslog configuration on Zyxel Firewalls

SGBox — Wed, 24 Jul 2024 13:56:31 +0000

Syslog configuration on Zyxel Firewalls

Configure Zyxel Firewalls

Configure Zyxel device to forward syslog data to SGBox

Log into the Zyxel Web Interface.
Navigate to Configuration > Log & Report > Log Settings.

Choose a Remote Server.
Click Active.
Choose Log Format as VRPT/Syslog.
Enter the IP address of the SGBox in Server Address field.
Select Local 7 in Log Facility field.
Select the Categories you want to be logged (normal = default logs, debug = very detailed logs, disable = no logs)

Troubleshooting

Default syslog server port is 514.

Syslog configuration on Bitdefender GravityZone

SGBox — Fri, 28 Jun 2019 14:37:11 +0000

How to configurate Syslog on Bitdefender GravityZone

This guide provides instructions to configure Bitdefender GravityZone to forward Bitdefender GravityZone
logs via syslog. The configurations detailed in this guide are consistent with Bitdefender GravityZone (on-prem) v6.5 to 7.0.

Requirements:

Admin access to Bitdefender GravityZone (on-prem) console. If you have cloud console you need to follow this guide.

Note: Bitdefender GravityZone supports the syslog option from v6.50 to 7.0.

Following are the steps to configure Bitdefender Gravityzone ( On-premises) to send logs to SGBox.

Log in to GravityZone Control center.
Click on Configuration > Miscellaneous.
Put the flag on Enable Syslog and write the IP of your SGBox.
Enter SGBox port (514) and select protocol UDP.

Click on configuration button ( the rowel ) in the top-right corner

Define the events you want send to SGBox

After data source appears in SGBox you need to install following package from SCM > Application > Pacakges:

Syslog configuration on ESXi – Vmware

SGBox — Fri, 28 Jun 2019 14:34:05 +0000

How to configurate Syslog on ESXi

On ESXi environment is not necessary to install a specific agent to send log to SGBox. The syslog protocol will be used. Just type following instructions:

esxcli system syslog config set --loghost udp://SGBOXIP:514
esxcli network firewall ruleset set -r syslog -e true
esxcli system syslog reload

To view current configuration type:

esxcli system syslog config get

Be careful, instructions may be change base on version installed.
If SSH service is not enable you enable it by console.

You can also configure you vCenter: https://vCenter-IP:5480