Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Syslogs & Field Effect MDR

            COMPLETE CORE

            Introduction

            Your organization may use network tools that produce syslogs; the standard way network devices create, send, and centralize events taking place within a system. Once collected, these syslogs can then be used to monitor and validate the activity taking place, or to investigate ongoing or past incidents that may have occurred.


            Our appliances are able to ingest these syslogs to enrich Field Effect's monitoring visibility, and in some cases, create AROs based on the syslog data. This capability has recently been turned "on" by default and available to clients wishing to take advantage of this capability.


            While we have the ability to monitor and report (ARO) based on syslog data from various sources, it's worth noting that we rarely see a lot of security value in monitoring and reporting on these types of syslog sources. Between our endpoint agent, network sensor, and cloud integrations, we typically have very good visibility into an environment, and those log sources tend to create noise from an alerting perspective.

             

            Syslog ingestion for our appliances is now enabled by default and available for both physical or virtual appliances, as well as primary and remote. To learn more about this, see our Help Center content on appliances.


            Sending Syslogs to your Appliance

            To take advantage of syslog ingestion with your appliance, please send your syslogs to your appliance's IP address using port 5514 UDP


            After setting this up in your environment, reach out to support@fieldeffect.com to confirm with our Support team that your appliance is receiving syslogs.  


            Enabling Syslog-based AROs

            We currently have a limited number of analytics for ingested syslog data, however they can be added if there are relevant syslog records that are a good indication of a security event. Currently, SonicWall and Fortinet users can enable ARO creation based on those syslogs. 


            SonicWall

            Alert generation based on Firewall logins. This can be for any successful login, any failed login, or a high volume of failed logins. These tend to be leveraged by clients with compliance requirements for this monitoring.


            Fortinet:

            The following AROs can be generated:

            • More than 5 unsuccessful VPN attempts.
            • VPN attempts outside of a specified geolocation
            • Any IPS blocking warning.
            • Virus alerts


            Sophos:

            The following AROs can be generated: 

            • Login Event 
            • Brute Force Detected

             

            If you would like to explore these capabilities, please reach out to support@fieldeffect.com.


            Syslog Availability and Support 

            Currently, virtual appliances hosted by Field Effect do not support syslog ingestion, but this can be accomplished using a compact sensor alongside a virtual appliance. 


            Client-hosted virtual appliances virtual appliances do support syslog ingestion.



            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0