Skip to main content

Cyware Orchestrate

Configure Syslogs

Syslog is used to receive logs from external applications such as SIEM using either TCP or UDP protocol and a network port. The received logs can be used to trigger the execution of pre-configured Playbook workflows. As the logs are sent using a network protocol, the need to configure Open API with external applications is eliminated.

For example, You can receive logs from CFTR (Cyware Fusion and Threat response) to trigger the Playbook execution in Orchestrate without using Open API credentials.

You can execute playbooks on receiving logs through a Syslog. For more information, see Execute Playbooks using Syslogs.

Before you Start

Ensure that you have permission to View Configure Syslog, Create/Update Configure Syslog, and Delete Configure Syslog to access the Syslogs feature and configure a Syslog.

Note

Access permissions can be assigned only to a User Group. Contact your Administrator to avail this permission.

Steps

To configure a Syslog:

  1. Go to Admin Panel > Syslogs.

  2. Click Add Syslogs.

  3. Enter the following details:

    • Title: Enter a unique title for a Syslog.

    • Port: Enter a port number. Port number 514 and port numbers in the range greater than or equal to 1024 and less than or equal to 65535 are allowed. For example, 1024, 5000, 65534, 65536, and more.

    • Protocol: Choose a network protocol for Orchestrate and client applications to communicate with each other. You can choose either TCP or UDP.

    • Source App: Choose from the existing source apps using the dropdown. The configured Syslog executes the Playbooks associated with the selected source app.

    • Event Type: Select the event type associated with the source app.

    • Status: Set the Syslog status as Active or Inactive using the toggle. If you need to trigger the selected source event in Orchestrate, then the Syslog must be in active status.

  4. After entering the required details, click Save. 

    After you have configured a Syslog, you must update the value of the port in the SYSLOG_PORTS variable present in the csol.env file to open the port from Orchestrate server. The file path of csol.env is /apps/cyware/conf/csol.env.

    For example, if you have configured a Syslog with port 5000, then must define the value of the port as SYSLOG_PORTS ="[5000]".

    After the successful configuration of a Syslog, you can view the configured Syslog on the listing page. The logs are received from an external application to Orchestrate as source events. Click Syslog_expand_source_events_icon.pngin the Event Received Time column to view the received logs. You can use the received logs to run Playbooks.

Impact of Workspaces on Syslogs

On enabling workspaces, the existing Syslogs are assigned to your first workspace.

While creating a new Syslog, you must select a workspace before selecting a source app. The configured Syslog can be used to receive logs from an external application to the selected workspace. For more information on workspaces, see Workspaces.

Manage Syslogs

You can perform the following activities to manage Syslogs:

  • Edit Syslogs to update tenant details.

  • Search for a Syslog.

  • Filter Syslogs based on their activation status, configured by the user and configured on a date.

  • Sort Syslogs based on the Syslog name and configured date.