Logs Export

The UserGate logs export feature allows you to upload information to external servers for later analysis or SIEM (security information and event management) processing.

Sending logs to SSH (SFTP), FTP, and Syslog servers is supported. Logs are sent to SSH and FTP servers according to the schedule specified in the configuration or as a one-time action (using the button Send once). For Syslog servers, logs are sent immediately after a record is added to the log.

To send logs, you must first create log export rules in the Logs and Reports ➜ Logs export section in device administrator mode.

Note Log export settings are not cluster-wide. If UGMC is running in a cluster configuration, log export rules are created separately on each node.

When creating a configuration, provide the following parameters:

Name

Description

Rule name

The name of the log export rule.

Description

Optional field for rule description.

Logs to export

Select the log files to export:

  • Events

For each log, you can specify the export syntax:

  • CEF: Common Event Format (ArcSight)

  • JSON: JSON format

  • @CEE: JSON: CEE Log Syntax (CLS) Encoding JSON

To select the desired log export format, refer to the documentation for the SIEM system you are using.

For a detailed description of log formats, see Appendix 2. Description of Log Formats.

Server type

SSH (SFTP), FTP, Syslog.

Server address

IP address or domain name of the server.

Transport

TCP or UDP; applicable only to Syslog servers.

Port

The server port to which the data should be sent.

Protocol

RFC5424 or BSD syslog RFC 3164; applicable only to Syslog servers. Select the protocol compatible with your SIEM system.

Severity

Only for Syslog server type. Optional field; consult the documentation for your SIEM system. Available values:

  • Alert: a state that requires immediate intervention.

  • Critical: a state that requires immediate intervention or signals a fault in the system.

  • Errors: errors detected in the system.

  • Warnings: warnings on potential errors that can occur if no action is taken.

  • Notice: events that relate to unusual system behavior but are not errors.

  • Info: informational messages.

Facility

Only for Syslog server type. Optional field; consult the documentation for your SIEM system. Available values:

  • User-level messages

  • System daemon

  • Security/authorization

  • Log audit

  • Log alert

  • Local 0.

  • Local 1.

  • Local 2.

  • Local 3.

  • Local 4.

  • Local 5.

  • Local 6.

  • Local 7.

Hostname

Only for Syslog server type. A unique host name identifying the server that sends data to the Syslog server in the FQDN (Fully Qualified Domain Name) format.

App-Name

Only for Syslog server type. Unique name of the application that sends data to the Syslog server.

Login name

The account name for connecting to the remote server. Not applicable to the Syslog export method.

Password

Account password for connecting to the remote server. Not applicable to the Syslog export method.

Directory path

Server directory to copy log files to. Not applicable to the Syslog export method.

In a UGMC cluster configuration, when exporting logs from different cluster nodes, you need to specify different directories on the server for each UGMC node, since the log file names on each node are identical.

Schedule

Select schedule for sending logs. Not applicable to the Syslog export method. The available options are:

  • Daily

  • Weekly

  • Monthly

  • Every ... hours

  • Every ... minutes

  • Advanced.

With the Advanced option, a crontab-like format is used where the date/time string consists of six space-separated fields. The fields specify the time as follows: (minutes: 0-59) (hours: 0-23) (days of the month: 1-31) (month: 1-12) (days of the week: 0-6, where 0 is Sunday). Each of the first five fields can be defined using:

  • An asterisk (*) denotes the entire range (from the first number to the last).

  • A dash (-) denotes a number range. For example, "5-7" means 5, 6, and 7.

  • Lists: comma-separated numbers or ranges. For example, "1,5,10,11" or "1-11,19-23".

  • An asterisk or range spacing: used for spacing out values in ranges. The increment is given after a slash. Examples: "2-10/2" means "2,4,6,8,10" while "*/2" in the "hours" field means "every two hours".

Manage logs

Manage temporary log files prepared for sending to remote SSH and FTP servers.

When sending logs to SSH and FTP servers, UserGate saves the data to send in temporary files in UTF-8 encoding. Logs for previous days (according to the number of rotation days) are stored in archives; the log for the current day is not archived. The system copies all files created for sending to a remote server according to the specified schedule. It does not clean up or delete the files. This setting allows you to specify the rotation period for temporary files (in days) or delete any of the temporary files manually. The files are rotated once a day.
NoteThe administrator can manually save the log directly from the web console. In this case, the data is saved only in CSV format.