Syslog configuration

Syslog configuration can be performed by Product and Admin users.

Configure syslog

Enable forwarding of Cyber Vision events and alerts to an external syslog server to integrate with a Security Information and Event Management (SIEM) system.

To configure syslog, follow these steps:

Before you begin

  • Ensure you have administrator access to Cyber Vision Center.

  • Confirm that the external syslog server is accessible. Obtain the host IP address, port, and the required protocol.

  • If secure communication is required, ensure you have the P12 certificate from your SIEM administrator.

  • Recent syslog format changes:

    • Standard and RFC3164 formats are deprecated.

    • Standard/CEF is now named CEF.

    • RFC3164/CEF is now named CEF Extended Time Precision.


    Note

    If the deployment had Standard or RFC3164 formats configured, version 5.3.x setup migrates the configuration to CEF.

Procedure

Step 1

From the main menu, choose Admin > System.

Step 2

Click Configure in the Syslog configuration menu.

Step 3

Select Protocol.

Note

 

If secure communication is required, select TCP + TLS and import the P12 certificate.

Step 4

Enter the syslog server Host IP address and Port that are accessible from Cyber Vision Center.

Step 5

Select the required Format.

  • CEF: This format, based on the Common Event Format (CEF) standard, sends events with second-precision timestamps.

  • CEF Extended Time Precision: This format, based on the Common Event Format (CEF) and an extended syslog header, sends events with millisecond-precision timestamps.

Step 6

Save the configuration.

Cyber Vision Center sends events from the Classic UI to syslog with 'Version Number = 1.0.' It sends alerts from the New UI to syslog with 'Version Number = 2.0.

What to do next

To export events using syslog, see Configure event export to syslog (Classic UI). To configure notifications for specific alert types, see Enable or disable syslog notifications for alert types (New UI).

Configure event export to syslog (Classic UI)

Manage which event categories Cisco Cyber Vision exports to syslog.

By default, events can be exported to syslog. Ensure that syslog is configured before enabling event export. If syslog is not configured, event export will not function.

To configure event export to syslog, use these steps.

Before you begin

Confirm that syslog destinations and configuration are set up in Cisco Cyber Vision.

Procedure

Step 1

In the Cyber Vision Classic UI, choose Admin > Events.

Step 2

Select the event categories to enable or disable for syslog export.

Step 3

Enable or disable Syslog export for the selected categories.

The selected event categories are now exported to syslog based on your configuration.

Enable or disable syslog notifications for alert types (New UI)

You can manage whether the Cyber Vision Center sends syslog notifications for alerts of specific alert types to your configured syslog server.

Follow these steps to enable or disable syslog notifications for an alert type:

Before you begin

  • Ensure you have administrator access to Cyber Vision Center.

  • Confirm that a syslog server is configured. See Configure syslog.

Procedure

Step 1

From the Cyber Vision New UI, choose Configuration > Alerts.

Step 2

Select an alert type.

Step 3

Enable or disable Syslog Notification.

When you enable syslog notifications in the Cyber Vision Center, you receive syslog messages on the configured syslog server whenever the system raises (or unmutes), clears, or mutes an alert.