Syslog Output

AEO Syslog Output

AEO can be configured to send syslog output to one or more designated syslog receivers, SIEMS, or analytics platforms such as Splunk, Elasticsearch, Syslogng, rsyslog, Alertlogic, and more.

Requires

  • AEO Hub version 6.0.8 or above

  • Remote syslog receiver

Fields

  • Server (Required) - IP address of the external syslog receiver

  • Port (Required) - Port of external syslog server.

  • Level - (Optional) minimum level of alert to send

  • Rule ID - (Optional) specific rule ID

  • Location - (Optional) Log location, example: agent123->/var/log/messages

  • Use FQDN - (Optional) Use the Fully Qualified Domain Name in the syslog output

  • Format - (Optional) Log format to transmit

    • default - Default AEO syslog format

    • cef - Common Event Format

    • json - JSON format

    • splunk - Splunk format

  • Groups - (Optional) Event group

Note

JSON output is recommended

Step 1) Log in to the AEO console, and select Integrations->Remote Syslog

../../../_images/01-syslog-output.png

Step 2) Select the required fields IP address and Port, and any optional fields

../../../_images/02-syslog-output.png

Step 3) Click update, and wait 5-10 seconds for the page to refresh

../../../_images/03-syslog-output.png

Local Log collection agent

The AEO hub runs on a standard build of Redhat Enterprise Linux 7, or Centos 7. Any local log transport agent that supports these distributions can be used to collect the AEO hub logs and send them to a remote location.

AEO Alert logs are located at: /var/ossec/logs/alerts/alerts.json