The Syslog Server Sensor App

Role Availability Read-Only Investigator Analyst Manager

Syslog is a message-logging standard supported by most devices and operating systems. USM Anywhere uses Syslog-ng, which supports IETF-syslog protocol, as described in RFC 5424 and RFC 5426; and BSD-syslog-formatted messages, as described in RFC 3164. While RFC 5424 and RFC 3164 define the format and rules for each data element within the syslog header, there can be a great deal of variance in the message content received from your data sources. Although Syslog-ng fixes some missing or incorrect headers, USM Anywhere doesn’t support syslog-formatted messages other than the ones previously mentioned.

Note: You can send syslog messages to USM Anywhere directly from the data source or use log-forwarding software such as Splunk or Loggly. USM Anywhere accepts most log-forwarding software that doesn't alter the raw log messages.

The USM Anywhere Sensors use the syslog server app to collect syslog messages for processing. The USM Anywhere Sensor passively listens on the syslog ports.

The following tables list the ports that require the syslog server app for the RFC 3164 and RFC 5424 protocols.

Ports the Syslog Server App Requires for Specific Protocols (RFC 3164)
Protocol Port BSD – Syslog Protocol Support

UDP

514

USM Anywhere collects data through syslog over UDP on port 514 by default.

TCP

601

USM Anywhere collects data through syslog over TCP on port 601 by default.

TLS/TCP

6514

USM Anywhere collects Transport Layer Security (TLS)-encrypted data through syslog over TCP on port 6514 by default.

Important: USM Anywhere requires the use of the TLS 1.2 protocol to ensure security.

Ports the Syslog Server App Requires for Specific Protocols (RFC 5424)
Protocol Port IETF – Syslog Protocol Support
TCP 602 USM Anywhere collects data through syslog over TCP on port 602 by default.
TLS 6515

USM Anywhere collects data through syslog over TLS on port 6515 by default.

Important: USM Anywhere requires the use of the TLS 1.2 protocol to ensure security.

Important: Make sure that the required ports are open for these protocols within your security groups and firewalls.

Configure Syslog on Your Data Sources

For each of the data sources in your network where you want to collect syslog data, you must forward the logs to a USM Anywhere Sensor. Use the following configuration information to use rsyslog Open source software utility implementing the syslog protocol to forward log messages to/from UNIX and Linux-based computers operating in a TCP/IP network environment. to collect and send syslog to your USM Anywhere Sensor. Many third-party systems and devices support other methods for sending syslog messages. Go to the specific AlienApp in USM Anywhere for instructions about syslog forwarding.

Note: The *.* configuration enables you to forward all syslog messages. However, AT&T Cybersecurity strongly recommends that you use any of the rsyslog filtering capabilities to forward only the logs that need to be monitored by USM Anywhere.

Important: You have to use the following syntax in the /etc/rsyslog.conf with older version of rsyslog:

*.* @remote_server:port

Standard Syslog over UDP

To configure syslog over UDP, you need to configure rsyslog on your data source to forward the logs to your USM Anywhere Sensor over the UDP port (the default is 514).

*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") # send (all) messages - Forward to the USM Anywhere Sensor IP address

Where <IP> is the IP address for the USM Anywhere Sensor.

Standard Syslog over TCP

To configure syslog over TCP, you need to configure rsyslog on your data source to forward the logs to your USM Anywhere Sensor over the TCP port (default 601).

*.* action(type="omfwd" target="<IP>" port="601" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") # send (all) messages - Forward to the USM Anywhere Sensor IP address

Where <IP> is the IP address for the USM Anywhere Sensor.

TLS-Encrypted Syslog over TCP

If you want to enable encrypted syslog communications between a host and the USM Anywhere Sensor to comply with your organization's security policies that require encryption of log data in transit, you can configure syslog TLS/TCP forwarding. TLS uses certificates to encrypt the communication between a client (the data source) and server (the USM Anywhere Sensor).

To configure syslog for TLS over TCP, you need to configure rsyslog on your data source to use TLS encryption and forward the logs to your USM Anywhere Sensor over the default port (6514 or 6515). The following configuration information is tested on Ubuntu 16.04 using rsyslog 8. For Red Hat Linux distributions, use rpm or yum in place of apt-get. For other systems supporting rsyslog TLS configuration, you can extrapolate from this information.

Note: For devices such as Trend Micro and Palo Alto Networks, AT&T Cybersecurity requires you to upload your own certificates to both the device and the USM Anywhere Sensor. See Upload Your Own Certificate for more information.

Note: When redeploying a sensor with TLS syslog encryption enabled, the new sensor will not maintain your previous encryption configuration. You must configure your TLS syslog encryption again for the redeployed sensor:

  • If you have used the default sensor certificates, the redeployed sensor will have generated new certifications. Be sure to use the new sensor certifications when reconfiguring your TLS syslog encryption.
  • If you have used your own TLS certificates you must reupload your PEM files again, but they can be the same PEM files you used originally.

Check the Syslog Collection Status

After you have configured the syslog forwarding policy on the required data sources, you can verify the log forwarding in USM Anywhere. When you select the sensor on the Syslog Server page, the Health column displays for each of the syslog protocols where the sensor has received a packet within the last 10 minutes.

Check the status information to determine if the sensor is currently receiving syslog packets

Scroll down to the Stats section to review more detailed information about the syslog activity on the sensor.

Review the information in the Stats tab to verify syslog packets received by the Sensor

  • Number of Syslog Packets Received: Number of packets received by the sensor since it has been up and running. (Restarting the sensor resets this counter.)
  • Received Syslog from the following IPs: List of IP addresses forwarding logs to the sensor. There is a maximum of 100 IPs, and IPs not sending logs in the last 24 hours are discarded. (Restarting the sensor resets this list.)

Disable Syslog Collection on a USM Anywhere Sensor

The syslog server app is enabled for log collection by default for each deployed USM Anywhere Sensor. If you want to disable the app for a particular sensor, complete the following procedure.

To disable syslog data collection on a sensor

  1. In USM Anywhere, go to Data Sources > Sensors.
  2. Click the Sensor Apps tab.
  3. In the left navigation menu, click Syslog Server.
  4. Select the sensor where you want to disable the app.

    Select a deployed Sensor

  5. Click Disable.