The log export feature in UserGate allows you to upload the information to external servers for later analysis or for processing in SIEM (Security Information and Event Management) systems.
UserGate supports the following logs:
-
Events
-
Web access
-
IPS
-
Traffic
The system supports sending logs to SSH (SFTP), FTP and Syslog servers. You can set up a schedule according to which the logs will be sent to SSH and FTP servers. Sending to Syslog servers is performed each time a new record is added into a log.
To start sending logs, you should create a logs export configuration in the Logs export section.
Specify the following parameters when creating a new configuration:
|
Name |
Description |
|---|---|
|
Name |
Name of the log export rule |
|
Description |
Optional field for rule description |
|
Logs for export |
Select logs for export
Set log format for every type of logs:
Consult with SIEM documentation to select correct format type. |
|
Server type |
SSH (SFTP), FTP, Syslog |
|
Server address |
IP address or domain name of the server |
|
Transport |
Only for Syslog servers (TCP or UDP) |
|
Port |
Server ports to which the data should be sent |
|
Protocol |
Only for Syslog servers. Chose compatible with your SIEM protocol - RFC5424 or BSD syslog RFC 3164. |
|
Severity |
Only for Syslog servers. Optional field. Consult with SIEM documentation to select correct value. Possible values are: 0 - Emergency: system is unusable 1 - Alert: action must be taken immediately 2 - Critical: critical conditions 3 - Error: error conditions 4 - Warning: warning conditions 5 - Notice: normal but significant condition 6 - Informational: informational messages 7 - Debug: debug-level messages |
|
Facility |
Only for Syslog servers. Optional field. Consult with SIEM documentation to select correct value. Possible values are: 0 - kernel messages 1 - user-level messages 2 - mail system 3 - system daemons 4 - security/authorization messages 5 - messages generated internally by syslogd 6 - line printer subsystem 7 - network news subsystem 8 - UUCP subsystem 9 - clock daemon 10 - security/authorization messages 11 - FTP daemon 12 - NTP subsystem 13 - log audit 14 - log alert 15 - clock daemon (note 2) |
|
Hostname |
Only for Syslog servers. The hostname field identifies the machine that originally sent the syslog message. Should be in Fully Qualified Domain Name (FQDN). |
|
App-Name |
Only for Syslog servers. The App-Name field should identify the device or application that originated the message. It is a string without further semantics. It is intended for filtering messages on a relay or collector. |
|
Login |
Username of the account used for connecting to a remote server. Not applicable for Syslog servers |
|
Password |
Password of the account used for connecting to a remote server. Not applicable for Syslog servers |
|
Repeat password |
Confirmation of the password of the account used for connecting to a remote server. Not applicable for Syslog servers |
|
Directory path |
Server folder into which the log files will be copied. Not applicable for Syslog servers |
|
Schedule |
Select a schedule of sending logs. Not applicable for Syslog servers. Possible values:
If you set the value manually, use the crontab-like format in which a string consists of six fields separated with spaces. Time in fields is specified in the following format: (minutes: 0-59) (hours: 0-23) (days of month: 0-31) (month: 0-12) (days of week: 0-6, 0 - Sunday). You can also use the following symbols in the first five fields:
|