Syslog - BlueCat Integrity - 9.6.0

VM Installation Guide

Locale
English
Product name
BlueCat Integrity
Version
9.6.0

When configuring syslog service, the content of the redirected syslog file might be more verbose than the content of the syslog file written locally on DNS/DHCP Server. DNS/DHCP Server filters the content that is written to the local syslog file.

Example

#cloud-config
bluecat_service_config:
    payload: |
        {
            "version": "1.2.0",
            "server-version": "9.5.0-XXX.GA.bcn",
            "services": {
                "syslog": {
                    "configurations": [
                        {
                            "syslogConfiguration": {
                                "version": "2.0",
                                "withIsoTimestamp": false,
                                "servers": [
                                    {
                                        "ip": "10.10.10.10",
                                        "transport": "tls",
                                        "port": 514,
                                        "level": "info",
                                        "serviceTypes": [
                                            "dhcp",
                                            "dns",
                                            "others"
                                        ],
                                        "useRFC5424": false,
                                        "withIsoTimestamp": false,
                                        "tlsSettings": {
                                            "peerVerify": "optional-untrusted",
                                            "caCert": "-----BEGIN CERTIFICATE----- \
                                                <certificate content>
                                                -----END CERTIFICATE-----\n"
                                        }
                                    },
                                    {
                                        "ip": "10.10.10.15",
                                        "transport": "udp",
                                        "port": 514,
                                        "level": "crit",
                                        "serviceTypes": [
                                            "dhcp"
                                        ],
                                        "useRFC5424": true,
                                        "withIsoTimestamp": true,
                                    },
                                    {
                                        "ip": "10.10.10.20",
                                        "transport": "tcp",
                                        "port": 514,
                                        "level": "error",
                                        "serviceTypes": [
                                            "dns"
                                        ],
                                        "useRFC5424": false,
                                        "withIsoTimestamp": true,
                                    }
                                ],
                                "arcsight": {
                                    "enable": true,
                                    "ip": "1.1.1.1"
                                },
                                "qradar": {
                                    "enable": true,
                                    "ip": "2.2.2.2"
                                }
                            }
                        }
                    ]
                }
            }
        }
Parameters
  • version—enter the syslog configuration schema version.
  • withIsoTimestamp—set to true to use the ISO 8601 timestamp format for locally logged messages; set to false if you do not want to use the ISO 8601 timestamp format for locally logged messages. The format is as follows: YYYY-MM-DDTHH:mm:ss+-ZONE. For example, 2022-10-13T15:58:00+01:00.

    If you set this value to false, locally logged messages use the legacy BSD timestamp.

  • servers—enter the configuration information for syslog redirection to a syslog server.
    • ip—enter the IP address of the syslog server.
    • transport—enter the transport protocol used for syslog redirection. The value must be tcp, udp, or tls.
      If you enter tls, enter the following additional fields:
      • peerVerify—set the verification method of the remote peer. You can set one of the following values:
        • required-trusted—the connection is TLS-encrypted if the remote peer has a valid certificate.
        • required-untrusted—the connection is TLS-encrypted if the remote peer has an invalid certificate or valid certificate.
        • optional-trusted—the connection is TLS-encrypted if the remote peer has no certificate or a valid certificate.
        • optional-untrusted—the connection is TLS-encrypted if the remote peer has no certificate, an invalid certificate, or a valid certificate.
          Note: If you set the peerVerify method to optional-untrusted, the CA certificate is optional.
      • caCert—enter the content of CA certificate used to verify the server certificate during the TLS handshake. The caCert must be in PEM format.
      • clientCert(Optional) enter the content of the client certificate to use for authentication. The client certificate must be in PEM format.
      • clientPrivateKey(Optional) enter the content of the client private key to use for authentication. The client private key must be in PEM format and must not be password-protected.
        Attention: If you enter a clientCert, you must also enter a clientPrivateKey.
      Note: If you select tls as the transport protocol, you must also set useRFC5424 and withIsoTimestamp to true.
    • port—enter the port used for syslog redirection.
    • level—enter the logging level that is sent to the syslog server. The logging level can be one of the following:
      • info—informational messages of system events.
      • notice—indicates normal but significant conditions within the system.
      • warning—indicates warning conditions within the system.
      • err—indicates error conditions within the system.
      • crit—indicates critical conditions within the system.
      • alert—indicates that action must be taken immediately.
      • emerg—indicates that the system is unusable.
    • serviceTypes—select the services for which syslog messages are generated. The value must be dhcp, dns, or others.
    • useRFC5424—set to true to use the RFC5424 syslog protocol for syslog messages; set to false if you do not want to use the RFC5424 syslog protocol for syslog messages. For more information on RFC5424, refer to https://datatracker.ietf.org/doc/rfc5424/.

      If you set this value to false, syslog messages use the legacy BSD RFC3164 syslog protocol. For more information on RFC3614, refer to https://datatracker.ietf.org/doc/rfc3164/.

    • withIsoTimestamp—set to true to use the ISO 8601 timestamp format for syslog messages; set to false if you do not want to use the ISO 8601 timestamp format for syslog messages redirected to a remote syslog server. The format is as follows: YYYY-MM-DDTHH:mm:ss+-ZONE. For example, 2022-10-13T15:58:00+01:00.
      Attention:
      • If you set useRFC5424 to true, you must also set withIsoTimestamp to true.
      • If you set this value to false, syslog messages use the legacy BSD timestamp.
  • arcsight—enter the configuration information for syslog redirection to ArcSight.
    • enable—set to true to enable syslog redirection to ArcSight; set to false to disable syslog redirection to ArcSight.
    • ip—enter the IPv4 or IPv6 address of the ArcSight server.
  • qradar—enter the configuration information for syslog redirection to QRadar.
    • enable—set to true to enable syslog redirection to QRadar; set to false to disable syslog redirection to QRadar.
    • ip—enter the IPv4 or IPv6 address of the QRadar server.