The Syslog connector sets up listeners for Syslog messages, supporting both TCP and UDP transmission, and when a message is received, it triggers the FortiSOAR™ playbooks for automated creation of alerts and other predefined response actions.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Syslog connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-syslog
syslog rpm has a dependency on the lsof package. If you are installing the rpm offline, you must install the lsof rpm prior to configuring the Syslog connector on the FortiSOAR™ instance.firewall-cmd --zone=public --add-port=1514/udp --permanent
firewall-cmd --reloadFor the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Syslog connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Listener Protocol | Select the protocol to be used by the listener. You can choose from the following options:
|
| Listener Port | Specify the port on which the listener starts. Since the listener is started as a non-root user, ensure that you provide a port higher than 1024. |
| FortiSOAR Endpoint | Specify API Trigger URL for the playbook to be triggered when a Syslog message is received.
NOTE: |
| Filter String | (Optional) Specify the string to filter retrieved messages from Syslog. Only messages containing this text would be forwarded to FortiSOAR™. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Start Listener | Starts the listener for a given configuration.
NOTE: The listener for a configuration starts as soon as the configuration is added, or when the connector is activated. |
start_listener Investigation |
| Stop Listener | Stops the listener for a given configuration.
NOTE: The listener for a configuration stops as soon as the configuration is deleted, or when the connector is deactivated. |
stop_listener Investigation |
| Restart Listener | Restarts the listener for a given configuration. | restart_listener Investigation |
| Parse Message | Parses the Syslog messages and returns a JSON with the message fields. | parse_message Investigation |
| Parameter | Description |
|---|---|
| Message Format | Specify whether the message to be parsed is in the RFC 3164 or RFC 5424 format. |
| RFC | Select the RFC format in which to parse the message. You can choose from the following options:
|
Note: The message complying with both the RFC 3164 and RFC 5424 specifications can be parsed.
The output contains the following populated JSON schema:
{
"header": "",
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}
The Sample - Syslog - 1.2.0 playbook collection comes bundled with the Syslog connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Syslog connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Syslog. Currently, data ingested from Syslog is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Syslog's data to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Syslog into FortiSOAR™. It also lets you pull some sample data from Syslog using which you can define the mapping of data between Syslog and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Syslog data.
To begin configuring data ingestion, click Configure Data Ingestion on the Syslog connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between Syslog data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch data from Syslog.
The fetched data is used to create a mapping between the data from Syslog and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested data Syslog to the fields of a Alerts present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
This could be due to one of the following reasons:
The listener logs are written to /var/log/cyops/cyops-integrations/syslog/listener.log. Check this log file for the exact reason for the failure.
The Syslog connector sets up listeners for Syslog messages, supporting both TCP and UDP transmission, and when a message is received, it triggers the FortiSOAR™ playbooks for automated creation of alerts and other predefined response actions.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.6.0-5012
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Syslog connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-syslog
syslog rpm has a dependency on the lsof package. If you are installing the rpm offline, you must install the lsof rpm prior to configuring the Syslog connector on the FortiSOAR™ instance.firewall-cmd --zone=public --add-port=1514/udp --permanent
firewall-cmd --reloadFor the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Syslog connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Listener Protocol | Select the protocol to be used by the listener. You can choose from the following options:
|
| Listener Port | Specify the port on which the listener starts. Since the listener is started as a non-root user, ensure that you provide a port higher than 1024. |
| FortiSOAR Endpoint | Specify API Trigger URL for the playbook to be triggered when a Syslog message is received.
NOTE: |
| Filter String | (Optional) Specify the string to filter retrieved messages from Syslog. Only messages containing this text would be forwarded to FortiSOAR™. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Start Listener | Starts the listener for a given configuration.
NOTE: The listener for a configuration starts as soon as the configuration is added, or when the connector is activated. |
start_listener Investigation |
| Stop Listener | Stops the listener for a given configuration.
NOTE: The listener for a configuration stops as soon as the configuration is deleted, or when the connector is deactivated. |
stop_listener Investigation |
| Restart Listener | Restarts the listener for a given configuration. | restart_listener Investigation |
| Parse Message | Parses the Syslog messages and returns a JSON with the message fields. | parse_message Investigation |
| Parameter | Description |
|---|---|
| Message Format | Specify whether the message to be parsed is in the RFC 3164 or RFC 5424 format. |
| RFC | Select the RFC format in which to parse the message. You can choose from the following options:
|
Note: The message complying with both the RFC 3164 and RFC 5424 specifications can be parsed.
The output contains the following populated JSON schema:
{
"header": "",
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}
None.
The output contains the following populated JSON schema:
{
"status": 0,
"message": ""
}
The Sample - Syslog - 1.2.0 playbook collection comes bundled with the Syslog connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Syslog connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling data from Syslog. Currently, data ingested from Syslog is mapped to Alerts in FortiSOAR™. For more information on the Data Ingestion Wizard, see the Connectors Guide in the FortiSOAR™ product documentation.
You can configure data ingestion using the Data Ingestion Wizard to seamlessly map the incoming Syslog's data to FortiSOAR™'s Alerts.
The Data Ingestion Wizard helps you to configure the scheduled pulling of data from Syslog into FortiSOAR™. It also lets you pull some sample data from Syslog using which you can define the mapping of data between Syslog and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to the Syslog data.
To begin configuring data ingestion, click Configure Data Ingestion on the Syslog connector's Configurations page.
Click Let's Start by fetching some data, to open the Fetch Data screen.
Sample data is required to create a field mapping between Syslog data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
On the Fetch Data screen, provide the configurations required to fetch data from Syslog.
The fetched data is used to create a mapping between the data from Syslog and FortiSOAR Alerts. Once you have completed specifying the configurations, click Fetch Data.
On the Field Mapping screen, map the fields of the ingested data Syslog to the fields of a Alerts present in FortiSOAR™.
For more information on field mapping, see the Data Ingestion chapter in the Connectors Guide in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.
The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.
This could be due to one of the following reasons:
The listener logs are written to /var/log/cyops/cyops-integrations/syslog/listener.log. Check this log file for the exact reason for the failure.