Configure Syslog on the Appliance

You can configure syslog on the appliance to stream syslog messages directly from the enterprise firewall or proxy servers.

After the logs are streamed via syslog to the appliance, the syslog messages are written to a file in the /nslogs/user/upload/<parser-name> folder. The file is captured at the beginning of every hour with the file name format: parser name_month_day_hour_host.log. Due to processing time, the latest completed file is for the previous hour.

After the logs are processed, the extracted cloud app events will get uploaded to your tenant instance in the Netskope cloud. To check the status of the logs in the Netskope tenant UI, go to Settings > Risk Insights > Log > Upload. You can also check the status of the logs on the appliance using command line interface (CLI) commands.

Basic Setup

protocol specifies to use TCP or UDP. The default protocol is UDP and the default syslog port is 514.

Before setting the protocol, you must stop all processes that are running or in-flight.

Run the following command in operation mode.
```
log-upload stop
```
Run the following commands in configuration mode to enable syslog on the OPLP.
```
set log-upload syslogng protocol <TCP|UDP>
set log-upload syslogng noparse enable true
```
noparse enable true ensures the syslog message received from the firewall and/or proxy is written as-is and not truncated by the syslogng. If you are enabling syslog, we recommend that you enable this configuration.

Enable TLS for Log Upload via Syslog

You can configure syslog to upload logs to the OPLP using a TLS connection. TLS can only be enabled if the protocol is set to TCP. To enable TLS on syslogng you will require a server certificate and key.

Note

The appliance does not generate the server certificate and key.

Run the following commands in configuration mode to enable TLS for syslog.

set log-upload syslogng tls enable true
set log-upload syslogng tls server-cert
set log-upload syslogng tls server-key

Define the Log Source

Specifies what parser type to use for processing logs. For example, if you are uploading bluecoat proxy logs, choose logsource proxysg-http-main. Here are the valid options:

Note

These parser type names are case-sensitive must be entered exactly as they appear in this table.

asa	fortigate	proxysg	squid
asa-syslog	greenplum-bluecoat	proxysg-http-main	symantec-web-security
bro-ids	isa-splunk	proxysg-websense	trustwave
chkp	juniper-srx-structured-syslog	scansafe	websense
cisco-fwsm-syslog	mcafee	sensage	zscaler
cisco-wsa	netscreen-traffic	sfwder
cisco-wsa-syslog	panw	sonicwall-syslog
custom-csv	panw-syslog	sophos

add log-upload syslogng parserconfig
{server response should be} added index 0
set log-upload syslogng parserconfig 0 logsource <log-source>

Define Filters

Separate logs into different directories based on the data in the logs.

set log-upload syslogng parserconfig 0 filter message <message>
set log-upload syslogng parserconfig 0 filter name <filter name>

Define Macros

Defines which macro templates to use.

set log-upload syslogng parserconfig 0 macros <macros>

Define Parsers

Defines which parsers to use.

set log-upload syslogng parserconfig 0 parser <parser name> csv-parser columns (<comma separated column name>) delimiters (<delimiter characters>)

For example,

set log-upload syslogng parserconfig 0 parser panparser csv-parser columns (rserver, rtime, SNO) delimiters (chars(","))

Define Substitutions

Defines how to reformat the log files retrieved.

add log-upload syslogng parserconfig 0 rewrite substitute
set log-upload syslogng parserconfig 0 rewrite name <any substition name>
set log-upload syslogng parserconfig 0 rewrite substitute 0 flags <flag>

Note

This last command is optional. An example of a flag is global, ignore-case, etc.

set log-upload syslogng parserconfig 0 rewrite substitute 0 fromstring <fromstring>
set log-upload syslogng parserconfig 0 rewrite substitute 0 tostring <tostring>
set log-upload syslogng parserconfig 0 rewrite substitute 0 value message

Configure Syslog on the Appliance