AEO Syslog Output
AEO can be configured to send syslog output to one or more designated syslog receivers, SIEMS, or analytics platforms such as Splunk, Elasticsearch, Syslogng, rsyslog, Alertlogic, and more.
AEO Hub version 6.0.8 or above
Remote syslog receiver
Server (Required) - IP address of the external syslog receiver
Port (Required) - Port of external syslog server.
Level - (Optional) minimum level of alert to send
Rule ID - (Optional) specific rule ID
Location - (Optional) Log location, example: agent123->/var/log/messages
Use FQDN - (Optional) Use the Fully Qualified Domain Name in the syslog output
Format - (Optional) Log format to transmit
default - Default AEO syslog format
cef - Common Event Format
json - JSON format
splunk - Splunk format
Groups - (Optional) Event group
JSON output is recommended
Step 1) Log in to the AEO console, and select Integrations->Remote Syslog
Step 2) Select the required fields IP address and Port, and any optional fields
Step 3) Click update, and wait 5-10 seconds for the page to refresh
Local Log collection agent
The AEO hub runs on a standard build of Redhat Enterprise Linux 7, or Centos 7. Any local log transport agent that supports these distributions can be used to collect the AEO hub logs and send them to a remote location.
AEO Alert logs are located at: /var/ossec/logs/alerts/alerts.json