Resolving issues with the transfer of syslog data
To resolve issues with sending syslog data from Web Gateway to Trellix ESM, several measures can be taken.
- Review the configuration on Web Gateway and make sure that the following applies:
- The Send syslog rule is enabled.
- The IP address of the Skyhigh Security SIEM Receiver is correctly specified in the rsyslog system file.
- Review the configuration on Trellix ESM.
For more information on this step and on others that are performed on Trellix ESM, see the documentation on Trellix ESM and the Data Source Configuration Guide. The guide is provided in the online rule set library under SIEM (Nitro) Integration.
- Verify that syslog data is generated on Web Gateway, for example, by running the following command from a system console:
tcpdump –s 0 –I any port 514
- Verify that syslog data is received on the Skyhigh Security SIEM Receiver.
- Verify that the syslog log is generated on Web Gateway in proper format.
Entries in the syslog log usually look as follows:
SWG|time_stamp=[30/Mar/2014:05:18:16 +0000]| auth_user=|src_ip=172.18.19.225|server_ip=188.8.131.52|host=www.nitroguard.com| url_port=80|status_code=200|bytes_from_client=187|bytes_to_client=272| categories=|rep_level=|method=GET|url=http://www.nitroguard.com/ngdb.dll?NG:StartIt:0| media_type=|application_name=|user_agent=Mozilla/4.0 (compatible; Synapse)| block_res=0|block_reason=|virus_name=|hash=| SWG|time_stamp=[30/Mar/2014:05:18:20 +0000]| auth_user=|src_ip=172.18.19.225|server_ip=184.108.40.206|host=www.nitroguard.com| url_port=80|status_code=200|bytes_from_client=376|bytes_to_client=200| categories=|rep_level=|method=GET| url=http://www.nitroguard.com/ngdb.dll? NG:DoIt:0:Info=D8BC0B7C97D2C352AFE4643FEA44AE4D4C70F79271 D4620B64294729E046CB607B5458AC24BA31B061A12313E016EB7F62ED267DC6FE9A02A552681347EF796303514934 EE08EF0DA76B27F5EEA225B0DB274367AF4FEA574EA6137728| media_type=|application_name=|user_agent=Mozilla/4.0 (compatible; Synapse)| block_res=0|block_reason=|virus_name=|hash=|