This article describes the configuration for using the Syslog Collector. This app is designed to aggregate threat events from 3rd party vendors when the RocketCyber SOC platform does not have an existing purpose-built integration for such vendor.
Common Event Format (CEF) and Log Extended Event Format (LEEF) are open standard Syslog formats adopted across numerous application, cloud and hardware vendors for log management and security information interoperability.
This app works specifically for vendors supporting Syslog CEF and LEEF log formats.
Configure the Syslog Collector
- Navigate to App Store, and enable the Syslog Collector
- Go in context as the tenant where data is to be aggregated. This app is configured at the customer level.
- Click on the gear to configure.
- Select a Device from the dropdown menu and then click Create. (A Rocketagent must be deployed to a Windows device prior to the configuration)
- UDP Port - the default configuration is set to UDP:514. If other applications or services are leveraging this protocol/port on the designated computer, it is recommended to modify the default configuration to a non-utilized port such as 541 or 551.
- IP Address - when selecting the computer from the dropdown for syslog facilitation, it is recommended to change this from DHCP to a STATIC address.
- Device selection - when considering which device to utilize, ensure that inbound UDP traffic is permitted and not blocked. It is ideal to select an always on device.