Skip to main content

Netskope Help

Configure Syslog on the Appliance

You can configure syslog on the appliance to stream syslog messages directly from the enterprise firewall or proxy servers.

After the logs are streamed via syslog to the appliance, the syslog messages are written to a file in the /nslogs/user/upload/<parser-name> folder. The file is captured at the beginning of every hour with the file name format: parser name_month_day_hour_host.log. Due to processing time, the latest completed file is for the previous hour.

After the logs are processed, the extracted cloud app events will get uploaded to your tenant instance in the Netskope cloud. To check the status of the logs in the Netskope tenant UI, go to Settings > Risk Insights > Log > Upload. You can also check the status of the logs on the appliance using command line interface (CLI) commands.

Basic Setup

protocol specifies to use TCP or UDP. The default protocol is UDP and the default syslog port is 514.

Before setting the protocol, you must stop all processes that are running or in-flight.

  1. Run the following command in operation mode.

    log-upload stop
  2. Run the following commands in configuration mode to enable syslog on the OPLP.

    set log-upload syslogng protocol <TCP|UDP>
    set log-upload syslogng noparse enable true

    noparse enable true ensures the syslog message received from the firewall and/or proxy is written as-is and not truncated by the syslogng. If you are enabling syslog, we recommend that you enable this configuration.

Enable TLS for Log Upload via Syslog

You can configure syslog to upload logs to the OPLP using a TLS connection. TLS can only be enabled if the protocol is set to TCP. To enable TLS on syslogng you will require a server certificate and key.

Note

The appliance does not generate the server certificate and key.

  • Run the following commands in configuration mode to enable TLS for syslog.

    set log-upload syslogng tls enable true
    set log-upload syslogng tls server-cert
    set log-upload syslogng tls server-key
Define the Log Source

Specifies what parser type to use for processing logs. For example, if you are uploading bluecoat proxy logs, choose logsource proxysg-http-main. Here are the valid options:

Note

These parser type names are case-sensitive must be entered exactly as they appear in this table.

asa

fortigate

proxysg

squid

asa-syslog

greenplum-bluecoat

proxysg-http-main

symantec-web-security

bro-ids

isa-splunk

proxysg-websense

trustwave

chkp

juniper-srx-structured-syslog

scansafe

websense

cisco-fwsm-syslog

mcafee

sensage

zscaler

cisco-wsa

netscreen-traffic

sfwder

cisco-wsa-syslog

panw

sonicwall-syslog

custom-csv

panw-syslog

sophos

add log-upload syslogng parserconfig
{server response should be} added index 0
set log-upload syslogng parserconfig 0 logsource <log-source>
Define Filters

Separate logs into different directories based on the data in the logs.

set log-upload syslogng parserconfig 0 filter message <message>
set log-upload syslogng parserconfig 0 filter name <filter name>
Define Macros

Defines which macro templates to use.

set log-upload syslogng parserconfig 0 macros <macros>
Define Parsers

Defines which parsers to use.

set log-upload syslogng parserconfig 0 parser <parser name> csv-parser columns (<comma separated column name>) delimiters (<delimiter characters>)

For example,

set log-upload syslogng parserconfig 0 parser panparser csv-parser columns (rserver, rtime, SNO) delimiters (chars(","))
Define Substitutions

Defines how to reformat the log files retrieved.

add log-upload syslogng parserconfig 0 rewrite substitute
set log-upload syslogng parserconfig 0 rewrite name <any substition name>
set log-upload syslogng parserconfig 0 rewrite substitute 0 flags <flag>

Note

This last command is optional. An example of a flag is global, ignore-case, etc.

set log-upload syslogng parserconfig 0 rewrite substitute 0 fromstring <fromstring>
set log-upload syslogng parserconfig 0 rewrite substitute 0 tostring <tostring>
set log-upload syslogng parserconfig 0 rewrite substitute 0 value message