If you need to synchronize SafeLine attack logs to third-party servers in real-time, you can use SafeLine WAF's Syslog feature.
Enable Syslog
Go to the System page in SafeLine, and configure the Syslog option to complete the setup.
SafeLine Syslog uses UDP protocol for transmission, and the message format follows RFC-5424
{.is-info}
Testing the Configuration
After completing the Syslog configuration, click the Test button. If the Syslog server receives the following message, it indicates a successful configuration:
<30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.
SafeLine Syslog Event Format Specification
{
"scheme": "http", // HTTP protocol
"src_ip": "12.123.123.123", // Source IP address
"src_port": 53008, // Source port
"socket_ip": "10.2.71.103", // Socket IP address
"upstream_addr": "10.2.34.20", // Upstream address
"req_start_time": 1712819316749, // Request start time
"rsp_start_time": null, // Response start time
"req_end_time": 1712819316749, // Request end time
"rsp_end_time": null, // Response end time
"host": "safeline-ce.chaitin.net",// Host name
"method": "GET", // Request method is GET
"query_string": "", // Query string
"event_id": "32be0ce3ba6c44be9ed7e1235f9eebab", // Event ID
"session": "", // Session
"site_uuid": "35", // Site UUID
"site_url": "http://safeline-ce.chaitin.net:8083", // Site URL
"req_detector_name": "1276d0f467e4", // Request detector name
"req_detect_time": 286, // Request detection time
"req_proxy_name": "16912fe30d8f", // Request proxy name
"req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3", // Request rule ID
"req_location": "urlpath", // Request location is URL path
"req_payload": "", // Request payload is empty
"req_decode_path": "", // Request decode path
"req_rule_module": "m_rule", // Request rule module is m_rule
"req_http_body_is_truncate": 0, // Request HTTP body
"rsp_http_body_is_truncate": 0, // Response HTTP body
"req_skynet_rule_id_list": [ // Request Skynet rule ID list
65595,
65595
],
"http_body_is_abandoned": 0, // HTTP body
"country": "US", // Country
"province": "", // Province
"city": "", // City
"timestamp": 1712819316, // Timestamp
"payload": "",
"location": "urlpath", // Location is URL path
"rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3", // Rule ID
"decode_path": "", // Decode path
"cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==", // Cookie
"user_agent": "PostmanRuntime/7.28.4", // User agent
"referer": "", // Referer
"timestamp_human": "2024-04-11 15:08:36", // Human-readable timestamp
"resp_reason_phrase": "", // Response
"module": "m_rule", // Module is m_rule
"reason": "", // Reason
"proxy_name": "16912fe30d8f", // Proxy name
"node": "1276d0f467e4", // Node
"dest_port": 8083, // Destination port
"dest_ip": "10.2.34.20", // Destination IP address
"urlpath": "/webshell.php", // URL path
"protocol": "http", // Protocol is HTTP
"attack_type": "backdoor", // Attack type
"risk_level": "high", // Risk level
"action": "deny", // Action
"req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n", // Raw request header
"body": "", // Body
"req_block_reason": "web", // Request block reason
"req_attack_type": "backdoor", // Request attack type
"req_risk_level": "high", // Request risk level
"req_action": "deny" // Action
}
Top comments (0)