Syslog
- 14 Sep 2023
- 2 Minutes to read
- Print
- DarkLight
- PDF
Syslog
- Updated on 14 Sep 2023
- 2 Minutes to read
- Print
- DarkLight
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
About this Article
This article provides the below information about configuration of Syslog server with VSP CMS, log format and unique message code and event mapping.
Enable Syslog Server on CMS
A super admin can add information related to Syslog server on VSP CMS as described below
- Login into CMS using URL https://<CMS _IPAddress> in any browser
- Navigate to Administration > Configurations in the left navigation pane
- Expand Syslog Server Settings
- Click Enable Forwarding
- Provide information about the Syslog server - Host Name, IP Address, Protocol, Port, Log Data Format and Log Filter
- Click TEST SETTINGS to test the configuration
- Click SAVE
Syslog Format
Log Format
General Log Format
TIMESTAMP|Virsec Security Platform|Virsec|<RELEASE VERSION>|<MESSAGE SPECIFIC NUMBER>|<BRIEF EVENT DECRIPTION>|<NOTIFICATION SEVERITY>|<DETAILED INFORMATION>
The below table describes the log parameters:
| Parameter | Description |
|---|---|
| TIMESTAMP | The timestamp when the event occurred along with the log format (CEF: 1) |
| Virsec Security Platform | (Constant) Product name |
| Virsec | Constant |
| <RELEASE VERSION> | VSP Release Number |
| <MESSAGE SPECIFIC NUMBER> | This number is unique to each type of event |
| <BRIEF EVENT DECRIPTION> | A brief description of the event |
| <NOTIFICATION SEVERITY> | Provides the notification severity as below
|
| <DETAILED INFORMATION> | All relevant information related to the event |
Sample Log Message
Jul 6 12:24:54 10.16.6.4 CEF: 1|Virsec Security Platform|Virsec|1.3.0|117|CMS User Login Successful|8|src=10.16.6.4 role=Super Admin login_at=06 Jul 2020 04:25:58 PM UTC realm=LOCAL username=npatro@virsec.com msg=User npatro@virsec.com succeeded in authentication.
Attack/Threat Log Format
General Attack/Threat Log Format
TIMESTAMP|Virsec Security Platform|Virsec|<RELEASE VERSION>|<MESSAGE SPECIFIC NUMBER>|<BRIEF EVENT DECRIPTION>|<SEVERITY>|<EVENT ID>|<DETAILED INFORMATION>
The below table describes the log parameters:
| Parameter | Description |
|---|---|
| TIMESTAMP | The timestamp when the event occurred along with the log format (CEF: 1) |
| Virsec Security Platform | (Constant) Product name |
| Virsec | Constant |
| <RELEASE VERSION> | VSP Release Number |
| <MESSAGE SPECIFIC NUMBER> | This number is unique to each type of event |
| <BRIEF EVENT DECRIPTION> | A brief description of the event |
| <SEVERITY> | Provides the severity as below
|
| <EVENT ID> | This Event ID is a unique ID generated for each incident in CMS. The Event ID gives information about Attack Type, Date when the Incident was reported. |
| <DETAILED INFORMATION> | All relevant information related to the event |
The Event ID depicts the below information:
Sample Attack/Threat Log
Jul 7 02:46:23 10.16.6.4 CEF: 1|Virsec Security Platform|Virsec|1.3.0|2|SQLi|10|EventId=VS-SQLI-070720-A00262|Application_Name=Suneel-Tomcat7 Tomcat7 Server_Name=WIN-SUNEEL Incident_Level=ATTACK Incident_Category=WEB_ATTACK Incident_Type=SQLi Incident_Timestamp=07 Jul 2020 06:47:28 AM UTC Threat Level=ATTACK Malicious Input=[{"account_name": "smith' OR '1' = '1"}] Attacker=10.16.11.250:55998 Event Source Name=CVE SQL=SELECT * FROM user_data WHERE last_name = ?{1=smith' OR '1' = '1} Session token id=F5B0479E70CE19603A807CC15183EB1A UUID=50e5e82d-403e-4c HTTP Request=POST /webgoat/attack pid=2056 description=SQLi category=Web Attack eventTime=2020-07-07 06:46:32 tid=25
VSP Events
The below table lists all the VSP events and their corresponding code:
| Event | Code |
|---|---|
| User Management Events | |
| New User Invited | 101 |
| CMS User Activated | 102 |
| CMS User Deactivated | 103 |
| CMS User Deleted | 104 |
| CMS User Role Updated | 105 |
| CMS User Password Reset | 106 |
| CMS User Account Locked | 107 |
| CMS User IP Address Blocked | 108 |
| Login and Logout Events | |
| CMS User log in successfully | 117 |
CMS User logged out successfully | 118 |
CMS User logged in unsuccessful | 119 |
| Application Related Events | |
| Application Created | 109 |
| Application Deleted | 110 |
| System Alerts | |
| Probe Associated to Application | 114 |
| New Probe Registration | 116 |
| Provisioning Related Events | |
| Application Provisioning Started | 111 |
| Application Provisioning Failed | 112 |
| Application Provisioning Stopped | 113 |
| Application Provisioning Completed | 115 |
| Attacks - Web Protection | |
| SQL Injection | 2 |
| Stored XSS | 4 |
| Reflected XSS | 5 |
| CRLF Injection | 6 |
| Path Traversal | 7 |
| CMDi (Command Injection) | 8 |
| Cross-site Request Forgery | 9 |
| Attacks - Web Protection (On Web Server) | |
| DOS Protection | 11 |
| Scanner Detection | 12 |
| Protocol Attack | 13 |
| Protocol Enforcement | 14 |
| Application Attack - LFI | 16 |
| Application Attack - RFI | 17 |
| Application Attack - RCE | 18 |
| Application Attack - XSS | 19 |
| Application Attack - SQLi | 20 |
| Application Attack - PHP | 21 |
| Application Attack - JAVA | 22 |
| Session Fixation | 23 |
| Method Enforcement | 30 |
| XML Injection | 31 |
| LFI RFI Attacks | |
| Local File Inclusion | 32 |
| Remote File Inclusion | 33 |
| DOM XSS | 34 |
| Fileless Attacks | |
| Buffer Error | 35 |
| Authentication Failures | |
| Authentication Failure | 37 |
| Attacks - Host Protection | |
| Process Monitoring | 40 |
| Library Monitoring | 41 |
| File Integrity | 42 |
| PVE Attacks | |
| Exception Notify | 46 |
| Signal Notify | 47 |
Was this article helpful?