Secure Syslog Collector

Modified on Wed, 06 Sep 2023 at 09:47 PM

Most devices that you will have on your network send logs over the network using the syslog protocol.  To maintain the security of all logs that you send to the Samurai XDR platform, we require that log messages be sent over TCP and encrypted using TLS.

In every Samurai XDR tenant, we automatically set up a Secure Syslog Collector when the tenant is provisioned.  This means that you don't need to configure anything before starting to connect syslog log sources to Samurai XDR.

Before you configure log sources

Before you can start configuring log sources to send secure syslog to Samurai XDR, you will need to note the IP address and hostname of your tenant's collector, as well as the TCP port number of the collector.  

The details needed to add a new integration will be shown when you step though the Telemetry > Integration > Create process.

These values can both be found in the Collectors pane of the Telemetry section in the Samurai XDR app.

Viewing Secure Syslog Settings via Telemetry > Collectors

First click on "Telemetry" in the left-hand menu bar of the app, then click on "Collectors"


Adding a Secure Syslog device via Telemetry > Integrations

From the Telemetry > Integrations screen, select the "Create" button on the right-hand side of the screen.  This will populate a list of available integrations. Select your integration, then Next. If the integration is based on Secure Syslog, then you will see the IP Address and Port to be used in your device configuration. There is no further configuration required in Samurai XDR. 

Please note the configuration guide (1) for your device. Please follow these instructions as it may require from time to time a logging format change. 

Take note of the Secure syslog IP Address and Port, then click Finish (2).

Certificate Validation

There There may be cases where your security device requires validation of the digital certificate used to create the secure TLS connection. When this is the case you can simply download the signing certificate (intermediate CA) provided here.

Note: this certificate is for server-side validation and not client-side authentication. The configuration guide for your device will step you through the details. Attached below is the .PEM file that contains the digital certificate.

Viewing your Integration in Samurai XDR

Once you have configured your device you will be able to confirm its operational status along with other important attributes as shown below.