Syslog Event Forwarder (CEF Format)
Event Manager offers an out-of-the-box integration that automatically pushes Event Managercontrolled events notifications to your preferred environment through Syslog.
Configuration within Event Manager
The following instructions explain how to set up a direct Syslog (CEF) integration within your Event Manager environment:
- Navigate to Configuration Home > Settings > Advanced Alert and Automation Configuration.
- From the Alarms tab, expand Event Manager and select Send Event Assigned to Syslog (CEF) to send an alert each time an event is assigned to a user. Alternatively, select Send Security Alert Event to Syslog (CEF) to send an alert each time a Security Control with enabled notifications triggers an alert.
- In the Send Event Assigned to Syslog (CEF) (or Send Security Alert Event to Syslog (CEF)) panel, click the Actions tab and against Run An External Application, click the
Edit icon. - In the Parameters field, enter the -SyslogServer, -SyslogPort and -SyslogProtocol (UDP or TCP) replacing the _SYSLOGSERVER_ literal, and the -SyslogPort and -SyslogProtocol with your own settings.
Once you’ve successfully set up a connection between Event Manager, events are automatically received within your Syslog Server for all Event Manager controlled events, as shown below.
Syslog (CEF) Event Formats
Header Fields
| Name | Event Manager Variable |
|---|---|
| Version | 0 |
| DeviceVendor | HelpSystems |
| DeviceProduct | Event Manager |
| DeviceVersion | Current |
| DeviceEventClassID | Event type: Incident, Threat or Highlighted Event |
| Name | Control name |
| Severity | 2 if Event type is Incident, 4 if Event Type is Threat and 5 if Event Type is highlighted event |
Event Producer Extension Field
| Name | Event Manager Variable |
|---|---|
| cat | Event type: Incident, Threat or Highlighted Event |
| src | Source Workstation |
| dst | Destination Workstation |
| duser | User Name |
| Suser | Operator Name |
| msg | Complete message |
| cs1 | Name of the Control |
| cs1Label | Control Name |
| cs2 | Name of the Classification Rule |
| cs2Label | Classification Rule |
| cs3 | Control Treatment Instructions |
| cs3Label | Treatment Instructions |
| cs4 | Name of the Audited Asset |
| cs4Label | Audited Asset |
| cs6 | Link to the details of the event |
| cs6Label | Event Link |
%Program Files%/Helpsystems/SmartConsole/logs/SendToSyslog_CEF_Alarms.log