Adding Syslog Notifications

Many networks today use a centralized log aggregation tool to collect and view data across the enterprise. Sandfly is designed to work with these tools to send alerts over syslog.

Sandfly Sends Rich Structured Data to Syslog

The syslog alerts Sandfly sends is rich structured data. Meaning that Sandfly sends the exact same information to the syslog destination as you would see in the Sandfly UI natively. This means that you can setup Sandfly to monitor your hosts, and you can use your existing monitoring tools to view alerts without needing to look at the Sandfly UI outside of Sandfly configuration tasks.

Even further, the data Sandfly sends contains extended attributes that can allow you to search on a variety of keywords about the data, status of the alert, alert type and other important pieces of information.

👍

TIP: Generate Test Alerts To See Syslog Output

Once you set Sandfly up to send syslog output, it may be useful to generate some alerts so that Sandfly can send them to your syslog destination to make sure it is working.

If you want to do a quick test, go onto a host and run the following command:

mkdir /tmp/...

This will make a suspicious directory under /tmp called "..."

When you run Sandfly against this host you will see an alert activation for a suspicious directory under /tmp. This alert will be sent to your syslog server if you set it up correctly.

After you see this alert, be sure to do a rmdir /tmp/... to get rid of the directory or you will get repeated alarms from Sandfly about the suspicious entry.

Adding a Syslog Destination

Adding a Syslog Notification

Adding a Syslog Notification

Adding a syslog destination is simple. Click on the Add Syslog button on the Notifications page, then enter the following information into its form:

  • Name - A readable reference name for you of what the syslog destination is.
  • Hostname - Hostname or IP address of the syslog destination.
  • UDP Port - The syslog UDP port (default is 514).
  • Data Options - Choose between sending all results or only alarm and error results, excluding passes.

❗️

IMPORTANT: Allow Syslog UDP Port Access

Be sure your packet filter on the syslog system allows UDP traffic from the Sandfly server or you will not see any syslog data.

Click the Finish button and the syslog destination will now be active.


Syslog Config Information

PRI

Sandfly uses the following settings for Facility and Severity when transmitting syslog notifications:

Facility: local0 ("local use 0", numerical code 16)

Severity:

  • err ("Error", numerical code 3) for Sandfly Alerts
  • warn ("Warning", numerical code 4) for Sandfly Errors
  • info ("Informational", numerical code 6) for Sandfly Passes