The UserGate logs export feature allows you to upload information to external servers for later analysis or SIEM (security information and event management) processing.
UserGate allows you to export the following logs:
-
Event log.
-
Web access log.
-
IDPS log.
-
Traffic log.
-
SCADA log.
-
SSH inspection log.
Sending logs to SSH (SFTP), FTP, and Syslog servers is supported. Logs are sent to SSH and FTP servers according to the schedule specified in the configuration. For Syslog servers, logs are sent immediately after a record is added to the log.
To send logs, you must create log export configurations in the Logs export section.
When creating a configuration, provide the following parameters:
|
Name |
Description |
|---|---|
|
Rule name |
Name of the log export rule. |
|
Description |
Optional field for rule description. |
|
Logs to export |
Select logs to export:
For each log, you can specify the export syntax:
To select the desired log export format, refer to the documentation for the SIEM system you are using. For a detailed description of log formats, see Appendix 3. Log format description. |
|
Server type |
SSH (SFTP), FTP, Syslog. |
|
Server address |
IP address or domain name of the server. |
|
Transport |
TCP or UDP; applicable only to Syslog servers. |
|
Port |
The server port to which the data should be sent. |
|
Protocol |
RFC5424 or BSD syslog RFC 3164; applicable only to Syslog servers. Select a protocol compatible with the SIEM system you are using. |
|
Severity |
Only for Syslog server type. Optional field; consult the documentation for your SIEM system. Available values:
|
|
Facility |
Only for Syslog server type. Optional field; consult the documentation for your SIEM system. Available values:
|
|
Hostname |
Only for Syslog server type. A unique host name identifying the server that sends data to the Syslog server in the FQDN (Fully Qualified Domain Name) format. |
|
App-Name |
Only for Syslog server type. Unique name of the application that sends data to the Syslog server. |
|
Login name |
The account name for connecting to the remote server. Does not apply to the Syslog sending method. |
|
Password |
Account password for connecting to the remote server. Does not apply to the Syslog sending method. |
|
Directory path |
Server directory to copy log files to. Does not apply to the Syslog sending method. |
|
Schedule |
Select schedule for sending logs. Does not apply to the Syslog sending method. The available options are:
With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1‑31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:
|
|
Manage logs |
Manage temporary log files prepared for sending to remote SSH and FTP servers. When sending logs to SSH and FTP servers, UserGate saves the data to send in temporary files. The system copies all files created for sending to a remote server according to the specified schedule. It does not clean up or delete the files. This setting allows you to specify the rotation period for temporary files (in days) or delete any of the temporary files manually. The files are rotated once a day. The system stores a total of N log archives for previous days (according to the number of rotation days) and one log for the current day. |