UserGate LogAn's log export feature allows you to upload information to external servers for subsequent analysis or processing in SIEM (security information and event management) systems.
UserGate LogAn allows you to export the following logs:
-
DNS.
-
Events.
-
Web access.
-
IDPS.
-
SCADA.
-
Traffic.
-
SSH inspection.
-
Endpoint events.
-
Endpoint rules.
-
Endpoint applications.
-
Endpoint hardware.
Sending logs to SSH (SFTP), FTP, and Syslog servers is supported. Logs are sent to SSH and FTP servers according to the schedule specified in the configuration or as a one-time action (using the button Send once). For Syslog servers, logs are sent immediately after a record is added to the log.
To send logs, you need first to create log export configurations in the Logs export section.
When creating a configuration, provide the following settings:
Name |
Description |
---|---|
Rule name |
The name of the log export rule. |
Description |
Optional field for rule description. |
Logs to export |
Select the log files to export:
For each log, you can specify the export syntax:
To select the desired log export format, refer to the documentation for the SIEM system you are using. For a detailed description of log formats, see Appendix 2. Description of Log Formats. |
Server type |
SSH (SFTP), FTP, Syslog. |
Address |
The IP address or domain name of the server. |
Transport |
TCP or UDP; applicable only to Syslog servers. |
Port |
The server port to which the data should be sent. |
Protocol |
RFC5424 or BSD syslog RFC 3164; applicable only to Syslog servers. Select the protocol compatible with your SIEM system. |
Severity |
Only for the Syslog server type. This is an optional field; consult the documentation for your SIEM system. The possible values are:
|
Facility |
Only for the Syslog server type. This is an optional field; consult the documentation for your SIEM system. The possible values are:
|
Hostname |
Only for the Syslog server type. A unique host name identifying the server that sends data to the Syslog server in the FQDN (Fully Qualified Domain Name) format. |
App-Name |
Only for the Syslog server type. A unique name of the application that sends data to the Syslog server. |
Login name |
The account name for connecting to the remote server. Not applicable to the Syslog export method. |
Password |
Account password for connecting to the remote server. Not applicable to the Syslog export method. |
Repeat password |
Confirm the account password for connecting to the remote server. Not applicable to the Syslog export method. |
Directory path |
Server directory to copy log files to. Not applicable to the Syslog export method. |
Schedule |
Schedule for sending logs. Not applicable to the Syslog export method. Options:
With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1‑31) (month: 1‑12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:
|