Configure Syslog on the Appliance
You can configure syslog on the appliance to stream syslog messages directly from the enterprise firewall or proxy servers.
After the logs are streamed via syslog to the appliance, the syslog messages are written to a file in the /nslogs/user/upload/<parser-name>
folder. The file is captured at the beginning of every hour with the file name format: parser name_month_day_hour_host.log
. Due to processing time, the latest completed file is for the previous hour.
After the logs are processed, the extracted cloud app events will get uploaded to your tenant instance in the Netskope cloud. To check the status of the logs in the Netskope tenant UI, go to Settings > Risk Insights > Log > Upload. You can also check the status of the logs on the appliance using command line interface (CLI) commands.
Basic Setup
protocol
specifies to use TCP or UDP. The default protocol is UDP and the default syslog port is 514.
Before setting the protocol, you must stop all processes that are running or in-flight.
Run the following command in operation mode.
log-upload stop
Run the following commands in configuration mode to enable syslog on the OPLP.
set log-upload syslogng protocol <TCP|UDP> set log-upload syslogng noparse enable true
noparse enable true
ensures the syslog message received from the firewall and/or proxy is written as-is and not truncated by the syslogng. If you are enabling syslog, we recommend that you enable this configuration.
Enable TLS for Log Upload via Syslog
You can configure syslog to upload logs to the OPLP using a TLS connection. TLS can only be enabled if the protocol
is set to TCP. To enable TLS on syslogng you will require a server certificate and key.
Note
The appliance does not generate the server certificate and key.
Run the following commands in configuration mode to enable TLS for syslog.
set log-upload syslogng tls enable true set log-upload syslogng tls server-cert set log-upload syslogng tls server-key
Define the Log Source
Specifies what parser type to use for processing logs. For example, if you are uploading bluecoat proxy logs, choose logsource proxysg-http-main
. Here are the valid options:
Note
These parser type names are case-sensitive must be entered exactly as they appear in this table.
asa | fortigate | proxysg | squid |
asa-syslog | greenplum-bluecoat | proxysg-http-main | symantec-web-security |
bro-ids | isa-splunk | proxysg-websense | trustwave |
chkp | juniper-srx-structured-syslog | scansafe | websense |
cisco-fwsm-syslog | mcafee | sensage | zscaler |
cisco-wsa | netscreen-traffic | sfwder | |
cisco-wsa-syslog | panw | sonicwall-syslog | |
custom-csv | panw-syslog | sophos |
add log-upload syslogng parserconfig
{server response should be} added index 0
set log-upload syslogng parserconfig 0 logsource <log-source>
Define Filters
Separate logs into different directories based on the data in the logs.
set log-upload syslogng parserconfig 0 filter message <message> set log-upload syslogng parserconfig 0 filter name <filter name>
Define Macros
Defines which macro templates to use.
set log-upload syslogng parserconfig 0 macros <macros>
Define Parsers
Defines which parsers to use.
set log-upload syslogng parserconfig 0 parser <parser name> csv-parser columns (<comma separated column name>) delimiters (<delimiter characters>)
For example,
set log-upload syslogng parserconfig 0 parser panparser csv-parser columns (rserver, rtime, SNO) delimiters (chars(","))
Define Substitutions
Defines how to reformat the log files retrieved.
add log-upload syslogng parserconfig 0 rewrite substitute set log-upload syslogng parserconfig 0 rewrite name <any substition name> set log-upload syslogng parserconfig 0 rewrite substitute 0 flags <flag>
Note
This last command is optional. An example of a flag is global
, ignore-case
, etc.
set log-upload syslogng parserconfig 0 rewrite substitute 0 fromstring <fromstring> set log-upload syslogng parserconfig 0 rewrite substitute 0 tostring <tostring> set log-upload syslogng parserconfig 0 rewrite substitute 0 value message