Syslog Plugin for Log Shipper
Syslog Plugin for Log Shipper
This document explains how to configure the Syslog for CE and the Syslog plugins for the Log Shipper module to forward Netskope Cloud Exchange platform logs to a Syslog Server. The Syslog plugin collects Cloud Exchange logs and sends them to a Syslog server.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
- A Syslog Server configured to accept logs from Netskope Cloud Exchange.
Cloud Exchange Version Compatibility
This plugin is compatible with all the supported Netskope CE versions.
Syslog Plugin Support
This plugin is used to pull Cloud Exchange logs and share them with Syslog plugins.
Workflow
- Configure the Syslog for CE plugin
- Configure the Syslog plugin.
- Configure the Log Shipper SIEM Mappings for Syslog.
- Validate the Syslog plugin.
- In Cloud Exchange, go to Settings and enable the Log Shipper module.
- Go to Log Shipper and click Plugins > Configure New Plugin.
- Select the Syslog for CE box to open the plugin creation dialog.
- Enter a Configuration Name.
- Click Next and enter these Configuration Parameters:
- Log Types: The type of logs to fetch and push to your Syslog server. The possible values are:
Information
,Warning
, andError
. - Initial Range (in days): The number of days to pull the log data for the initial run.
- Log Types: The type of logs to fetch and push to your Syslog server. The possible values are:
- Click Save.
- In Cloud Exchange, go to Settings > Plugins.
- Search for and select the Syslog box to open the plugin creation pages.
- Enter a Configuration Name and select a Mapping file from the dropdown list. Cloud Exchange uses a mapping file to translate Netskope field names to third party field names, like Syslog Default Mappings.
- Click Next and enter these Configuration Parameters:
- Syslog Server
- Syslog Format
- Syslog Protocol
- Syslog Port
- Syslog Certificate
- Log Source Identifier
Note
The Syslog Certificate is only required if TLS is used for the Syslog Protocol.
- Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
- Select a Source Configuration (Syslog for CE plugin) and a Destination Configuration (Syslog plugin), and then select a business rule.
- Click Save.
Validate the Syslog Plugin
Validate the Pull
To validate the pulling of Logs from the Netskope CE, go to Logging and search for the pulled logs.
Validate the Push
Go to Logging and search for ingested events with the filter message contains ingested.