To gain better visibility into real-time web attacks, SafeLine supports forwarding detailed logs via Syslog. This allows you to integrate SafeLine with third-party monitoring platforms like SIEM or log aggregators.
π§ How to Configure Syslog in SafeLine
1. Enable Syslog Forwarding
Navigate to the System page in the SafeLine dashboard. Under Syslog Settings, input the required server address and port. SafeLine uses UDP protocol and follows the RFC-5424 standard for log formatting.
Note: Make sure your firewall allows UDP traffic to the specified Syslog server.
2. Verify Syslog Connectivity
Once configured, click the Test button. If the Syslog server receives a message like the following, your setup is working correctly:
<30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.
π SafeLine Syslog Log Format
SafeLine outputs logs in structured JSON format, making them easy to parse and analyze. Each log entry contains detailed context about HTTP requests, including attack events, request metadata, and enforcement actions.
Hereβs an example of a typical Syslog message:
{
"scheme": "http",
"src_ip": "12.123.123.123",
"src_port": 53008,
"socket_ip": "10.2.71.103",
"upstream_addr": "10.2.34.20",
"req_start_time": 1712819316749,
"rsp_start_time": null,
"req_end_time": 1712819316749,
"rsp_end_time": null,
"host": "safeline-ce.chaitin.net",
"method": "GET",
"query_string": "",
"event_id": "32be0ce3ba6c44be9ed7e1235f9eebab",
"session": "",
"site_uuid": "35",
"site_url": "http://safeline-ce.chaitin.net:8083",
"req_detector_name": "1276d0f467e4",
"req_detect_time": 286,
"req_proxy_name": "16912fe30d8f",
"req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
"req_location": "urlpath",
"req_payload": "",
"req_decode_path": "",
"req_rule_module": "m_rule",
"req_http_body_is_truncate": 0,
"rsp_http_body_is_truncate": 0,
"req_skynet_rule_id_list": [65595, 65595],
"http_body_is_abandoned": 0,
"country": "US",
"province": "",
"city": "",
"timestamp": 1712819316,
"payload": "",
"location": "urlpath",
"rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
"decode_path": "",
"cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==",
"user_agent": "PostmanRuntime/7.28.4",
"referer": "",
"timestamp_human": "2024-04-11 15:08:36",
"resp_reason_phrase": "",
"module": "m_rule",
"reason": "",
"proxy_name": "16912fe30d8f",
"node": "1276d0f467e4",
"dest_port": 8083,
"dest_ip": "10.2.34.20",
"urlpath": "/webshell.php",
"protocol": "http",
"attack_type": "backdoor",
"risk_level": "high",
"action": "deny",
"req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n",
"body": "",
"req_block_reason": "web",
"req_attack_type": "backdoor",
"req_risk_level": "high",
"req_action": "deny"
}
This rich data includes:
- Source and destination IPs and ports
- Requested URL and HTTP method
- Attack type and risk level
- Rule/module triggered
- Enforcement action (e.g., deny)
- Full raw headers and request metadata
π Why Use Syslog with SafeLine?
By integrating Syslog:
- You centralize your WAF logs with existing monitoring tools
- You gain real-time insight into threat patterns
- You can trigger alerts or automated responses using external systems
π Resources:
SafeLineβs Syslog support ensures seamless integration with your security infrastructure β empowering you to stay ahead of threats with actionable data.
Top comments (0)