Send output to syslog

Contrast allows you to send security logs to a remote syslog server in addition to the Contrast Security log. Syslog data is in common event format (CEF) and can be parsed by most security incident event management (SIEM) software.

Important

You must apply a Protect license to the server that has syslog output enabled.

You may have to enable remote logging so that your syslog can receive outside messages.

Syslog output isn't supported over TCP. You must use UDP port 514.

  1. When configuring the default organization server settings, select the checkbox to Enable output of Protect events to syslog, which reveals additional fields, and then enter the appropriate settings.

  2. Select Servers in the header to enable and configure syslog output to an individual server or multiple servers at one time. If syslog defaults have already been set at an organization level, the values will be pre-populated for server-level settings.

    • Individual server: To enable syslog on an individual server, hover over the grid row, and select the Server settings icon.

    • Multiple servers: Use the check marks to select multiple servers, and select the Server Settings icon in the batch action menu that appears at the bottom of the page.

      Note

      If one or more of the selected servers is not eligible to have syslog enabled, it will only be enabled on eligible servers.

  3. In the Server settings window, select the box to Send output of Protect events to syslog. (For multiple servers, you will need to select Edit next to the checkbox first).

    Note

    If eligible servers selected are in different environments, you can choose to use the default settings for the applicable servers or manually configure the settings for all servers.

    Image shows server settings window with the options listed below.
  4. Enter the Syslog server host. This can be the full qualified domain name (not just the hostname) or the IP address. For example: email.mydomainname.com or 38.124.154.50.

  5. Enter the Port.

  6. Enter the Facility.

  7. Enter the Syslog message severity.

  8. Save the settings to enable syslog on the server.

  9. When syslog is enabled, the server has a gray arrow icon beside its name in the grid. Hover over the icon to see the output location of Protect events.

    To edit server settings, repeat the steps above to update the values in the appropriate configuration form, and save your changes.