Configure Syslog Export
For on premise: It can be accessed at System level.
For hosted: It can be accessed at SO level.
Syslog gives a detailed information on what events are audited, how they are recorded, and provide an automated way to get the records out to be consumed by a SIEM (Security information and event management). With this, many user actions within N-central can now be automatically exported to your syslog server in near real time. In turn, you can pull these logs from your syslog server into your SIEM product.
How it works?
The permissions to set
You need to set the appropriate permissions in N-central to configure and export syslog audit report.
For more information about roles and permissions, see Role-based permissions.
In the Administration > User Management > Roles (choose a role) > Configuration > Compliance, select Manage.
To configure Syslog Export:
-
From the left-hand navigation menu, click Administration > Audit Export.
-
Toggle the button Enable Syslog Export to enable or disable.
-
Enter Syslog Server Hostname/IP Address in the text box.
-
Enter Syslog Server Port . The Default value for non TLS is 514 (unencrypted), and TLS is 6514 (encrypted).
For on-premise - It is HIGHLY recommended to use port 6514 TCP and TLS encryption for security purposes.
For hosted - Port 6514 TCP is the ONLY available port and requires TLS encryption.UDP ports are not currently supported, and all communication within N-central occurs over TCP.
-
Toggle Enable TLS to enable or disable TLS encryption. If TLS is used (as required for hosted environments), a hostname must be used instead of an IP address.
Enabling TLS is optional if the receiving device is on the same subnet as N-central.
It is strongly recommended to use TLS if the receiving device is not on the same subnet as N-central. -
When TLS is enabled, input the Syslog TLS Certificate in the text box. Enter the TLS certificate that will be used to encrypt the Syslog messages. This certificate should be issued by a trusted Certificate Authority (CA) and match the configuration of your Syslog server. A valid TLS certificate is required; self-signed TLS certificates are not supported.
-
Click Test Export to send a single test record out to the receiving device. Syslog is a one-way logging protocol, where messages are transmitted from the client to the syslog server without expecting any response.
Example of syslog export log:
where 110 is Priority this is calculated and hard coded, 1 refers to the Syslog version in use, date and time of action in UTC/ISO 8601 format, ncentraldms or secure syslog - source of the action.