17.1.9. Log Export

The UserGate logs export feature allows you to upload information to external servers for later analysis or SIEM (security information and event management) processing.

UserGate allows you to export the following logs:

  • Event log.

  • Web access log.

  • IDPS log.

  • Traffic log.

  • SCADA log.

  • SSH inspection log.

Sending logs to SSH (SFTP), FTP, and Syslog servers is supported. Logs are sent to SSH and FTP servers according to the schedule specified in the configuration. For Syslog servers, logs are sent immediately after a record is added to the log.

To send logs, you must create log export configurations in the Logs export section.

When creating a configuration, provide the following parameters:

Name

Description

Rule name

Name of the log export rule.

Description

Optional field for rule description.

Logs to export

Select logs to export:

  • Event log.

  • Web access log.

  • IDPS log.

  • Traffic log.

  • SCADA log.

  • SSH inspection log.

For each log, you can specify the export syntax:

  • CEF: Common Event Format (ArcSight)

  • JSON: JSON format

  • @CEE: JSON: CEE Log Syntax (CLS) Encoding JSON.

To select the desired log export format, refer to the documentation for the SIEM system you are using.

For a detailed description of log formats, see Appendix 3. Log format description.

Server type

SSH (SFTP), FTP, Syslog.

Server address

IP address or domain name of the server.

Transport

TCP or UDP; applicable only to Syslog servers.

Port

The server port to which the data should be sent.

Protocol

RFC5424 or BSD syslog RFC 3164; applicable only to Syslog servers. Select a protocol compatible with the SIEM system you are using.

Severity

Only for Syslog server type. Optional field; consult the documentation for your SIEM system. Available values:

  • Alert: state that requires immediate intervention.

  • Critical: a state that requires immediate intervention or signals a fault in the system.

  • Errors: errors detected in the system.

  • Warnings: warnings on potential errors that can occur if no action is taken.

  • Notice: events that relate to unusual system behavior but are not errors.

  • Info: information messages.

Facility

Only for Syslog server type. Optional field; consult the documentation for your SIEM system. Available values:

  • User-level messages.

  • System daemon.

  • Security/Authorization.

  • Log audit.

  • Alert.

  • Local 0.

  • Local 1.

  • Local 2.

  • Local 3.

  • Local 4.

  • Local 5.

  • Local 6.

  • Local 7.

Hostname

Only for Syslog server type. A unique host name identifying the server that sends data to the Syslog server in the FQDN (Fully Qualified Domain Name) format.

App-Name

Only for Syslog server type. Unique name of the application that sends data to the Syslog server.

Login name

The account name for connecting to the remote server. Does not apply to the Syslog sending method.

Password

Account password for connecting to the remote server. Does not apply to the Syslog sending method.

Directory path

Server directory to copy log files to. Does not apply to the Syslog sending method.

Schedule

Select schedule for sending logs. Does not apply to the Syslog sending method. The available options are:

  • Daily.

  • Weekly.

  • Monthly.

  • Every ... hours.

  • Every ... minutes.

  • Advanced.

With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1‑31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:

  • An asterisk (*): denotes the entire range (from the first number to the last).

  • A dash (-): denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • An asterisk or range spacing. Used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

Manage logs

Manage temporary log files prepared for sending to remote SSH and FTP servers.

When sending logs to SSH and FTP servers, UserGate saves the data to send in temporary files. The system copies all files created for sending to a remote server according to the specified schedule. It does not clean up or delete the files. This setting allows you to specify the rotation period for temporary files (in days) or delete any of the temporary files manually. The files are rotated once a day.

The system stores a total of N log archives for previous days (according to the number of rotation days) and one log for the current day.