Netskope Help

Configure Syslog on the Appliance

You can configure syslog on the appliance to stream syslog messages directly from the enterprise firewall or proxy servers. In configuration mode, the following commands can be used for enabling syslog on the appliance:

set log-upload syslogng protocol <TCP|UDP>
add log-upload syslogng parserconfig
{server response should be} added index 0

set log-upload syslogng parserconfig 0 logsource <log-source>
{server response should be} Configuration saved
Restarting log parsing service
  
set log-upload syslogng noparse enable true

Here are more details about each setting:

  • protocol: Specifies TCP or UDP.

  • port: Syslog port to receive traffic is 514.

  • logsource: Specifies what parser type to use for processing logs. For example, if you are uploading bluecoat proxy logs, choose logsource proxysg-http-main. Here are the valid options:

    Note

    These parser type names are case-sensitive must be entered exactly as they appear in this table.

    asa

    fortigate

    proxysg

    squid

    asa-syslog

    greenplum-bluecoat

    proxysg-http-main

    symantec-web-security

    bro-ids

    isa-splunk

    proxysg-websense

    trustwave

    chkp

    juniper-srx-structured-syslog

    scansafe

    websense

    cisco-fwsm-syslog

    mcafee

    sensage

    zscaler

    cisco-wsa

    netscreen-traffic

    sfwder

    cisco-wsa-syslog

    panw

    sonicwall-syslog

    custom-csv

    panw-syslog

    sophos

  • noparse enable true: Makes sure that the syslog message received from the firewall and/or proxy is written as-is and are not truncated by the syslogng. If you are enabling syslog, we recommend that you enable this configuration.

After the logs are streamed via syslog to the appliance, the syslog messages are written to a file in the /nslogs/user/upload/<parser-name> folder. The file is captured at the beginning of every hour with the file name format: parser name_month_day_hour_host.log. Due to processing time, the latest completed file is for the previous hour.

After the logs are processed, the extracted cloud app events will get uploaded to your tenant instance in the Netskope cloud. To check the status of the logs in the Netskope tenant UI, go to Settings > Risk Insights > Log > Upload. You can also check the status of the logs on the appliance using command line interface (CLI) commands.

Enable TLS for Log Upload via Syslog

You can configure syslog to upload logs to the OPLP using a TLS connection. TLS can only be enabled if the protocol is set to TCP. To enable TLS on syslogng you will require a server certificate and key.

Note

The appliance does not generate the server certificate and key.

  • Run the following commands in configuration mode to enable TLS for syslog.

    set log-upload syslogng tls enable true
    set log-upload syslogng tls server-cert
    set log-upload syslogng tls server-key