12.1.14. Logs Export

UserGate LogAn's log export feature allows you to upload information to external servers for subsequent analysis or processing in SIEM (security information and event management) systems.

UserGate LogAn allows you to export the following logs:

  • DNS.

  • Events.

  • Web access.

  • IDPS.

  • SCADA.

  • Traffic.

  • SSH inspection.

  • Endpoint events.

  • Endpoint rules.

  • Endpoint applications.

  • Endpoint hardware.

Sending logs to SSH (SFTP), FTP, and Syslog servers is supported. Logs are sent to SSH and FTP servers according to the schedule specified in the configuration or as a one-time action (using the button Send once). For Syslog servers, logs are sent immediately after a record is added to the log.

To send logs, you need first to create log export configurations in the Logs export section.

When creating a configuration, provide the following settings:

Name

Description

Rule name

The name of the log export rule.

Description

Optional field for rule description.

Logs to export

Select the log files to export:

  • DNS.

  • Events.

  • Web access.

  • IDPS.

  • SCADA.

  • Traffic.

  • SSH inspection.

  • Endpoint events.

  • Endpoint rules.

  • Endpoint applications.

  • Endpoint hardware.

For each log, you can specify the export syntax:

  • CEF: Common Event Format (ArcSight).

  • JSON: JSON format.

  • @CEE: JSON: CEE Log Syntax (CLS) Encoding JSON.

To select the desired log export format, refer to the documentation for the SIEM system you are using.

For a detailed description of log formats, see Appendix 2. Description of Log Formats.

Server type

SSH (SFTP), FTP, Syslog.

Address

The IP address or domain name of the server.

Transport

TCP or UDP; applicable only to Syslog servers.

Port

The server port to which the data should be sent.

Protocol

RFC5424 or BSD syslog RFC 3164; applicable only to Syslog servers. Select the protocol compatible with your SIEM system.

Severity

Only for the Syslog server type. This is an optional field; consult the documentation for your SIEM system. The possible values are:

  • Alert: a state that requires immediate intervention.

  • Critical: a state that requires immediate intervention or signals a fault in the system.

  • Error: errors detected in the system.

  • Warning: warnings on potential errors that can occur if no action is taken.

  • Notice: events that are related to unusual system behavior but are not errors.

  • Info: information messages.

Facility

Only for the Syslog server type. This is an optional field; consult the documentation for your SIEM system. The possible values are:

  • User-level messages.

  • System daemon.

  • Security/authentication.

  • Log audit.

  • Log alert.

  • Local 0.

  • Local 1.

  • Local 2.

  • Local 3.

  • Local 4.

  • Local 5.

  • Local 6.

  • Local 7.

Hostname

Only for the Syslog server type. A unique host name identifying the server that sends data to the Syslog server in the FQDN (Fully Qualified Domain Name) format.

App-Name

Only for the Syslog server type. A unique name of the application that sends data to the Syslog server.

Login name

The account name for connecting to the remote server. Not applicable to the Syslog export method.

Password

Account password for connecting to the remote server. Not applicable to the Syslog export method.

Repeat password

Confirm the account password for connecting to the remote server. Not applicable to the Syslog export method.

Directory path

Server directory to copy log files to. Not applicable to the Syslog export method.

Schedule

Schedule for sending logs. Not applicable to the Syslog export method. Options:

  • Daily.

  • Weekly.

  • Monthly.

  • Every ... hours.

  • Every ... minutes.

  • Advanced.

With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1‑31) (month: 1‑12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:

  • An asterisk (*) denotes the entire range (from the first number to the last).

  • A dash (-): denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".