KFSensor

 

SysLog Alerts

Use the SysLog Alerts dialog box to configure the sending of alerts to a SysLog server.

In addition to recording events in the event log and providing audio and system tray alerts, KFSensor is able to send to an external SysLog server.

SysLog is the standard way of recording events on UNIX machines.
The syslog protocol uses the UDP protocol. This is not as reliable as TCP, but it is effective and efficient in most situations.

The Alerts section of the Concepts part of the manual describes the different alert options in more detail.

SysLog Server

  • Enable
    If this option is checked the SysLog alert feature will be enabled and the rest of the settings must contain correct values for the alerts to work.
  • Server
    The address of the machine running the SysLog server. This can be a DSN or an IP address.
  • Port
    The port number of the SysLog server. The standard port for this is 514.

Alert Details

  • Format
    Standard
    This sets the format of the syslog message to be that expected by a traditional syslog server.
    ArcSight CEF
    KFSensor can be configured to forward events to ArcSight in CEF format. This streamlines and simplifies the integration of KFSensor with the Arcsight Enterprise Threat and Risk Management (ETRM) platform.

    The Common Event Format (CEF) is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF is the first log management standard to support a broad range of device types. CEF enables technology companies and customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system.

    Qradar LEEF
    KFSensor can be configured to forward events to IBM Qradar in LEEF format. This streamlines and simplifies the integration of KFSensor with the IBM Qradar.

    Log Event Extended Format (LEEF) is a log format designed for entering data onto the Qradar system.

  • From Host
    The domain name or IP address of the KFSensor server.
    This is used to identify the source of an event on the SysLog server. It does not have to be accurate for the event to be logged.
    The drop down list contains a variety of values to handle dynamic IP allocation.
  • Application
    The name of the application generating the event. By default this should be 'kfsensor'.
  • Facility
    The facility is a way of identifying the priority and type of an event in SysLog. There are 24 possible facilities to choose from. The default is '10 - security/authorization'.

Filter

These options are used to restrict the number of events sent so as not to overload your SysLog server.
  • Interval
    If this value is greater than zero then KFSensor will not send another alert for the specified number of seconds.
    This may mean that some events will be missed.
  • Severity
    This limits the sending of alerts based on the severity of the event.
    e.g. If set to Medium then only events with a Medium or High severity will generate alerts.

Related Topics


KFSensor On-Line Manual Contents