2.6.4. Syslog servers
2.6.4.1. Introduction
The Syslog protocol enables the export of detection-related data from the GCenter to remote Syslog servers.
Example of remote servers:
A SIEM
A Splunk SIEM
ETL Logstash
The number of Syslog servers is limited to two.
The data to be exported can be:
Alerts or
Alerts and metadata
This data can be filtered in the screen of Filtering Parameters.
Note
No GCenter or GCap system data is affected by this export.
Finally the data can be encrypted: this encryption can be defined in the screen Encryption.
For details on data management, see Data use.
2.6.4.2. SIEM
To connect the GCenter to a SIEM, it must be defined as a Syslog server in the `Admin-GCenter- Data exports` screen of the legacy web UI.
For implementation, see the Export data to a SIEM via the syslog protocol.
2.6.4.3. SIEM Splunk
To connect the GCenter to a Splunk SIEM, the SIEM must be defined as a Syslog server in the `Admin-GCenter- Data exports` screen of the legacy web UI.
For implementation, see the Export data to a SPLUNK SIEM via the syslog protocol.
2.6.4.4. Logstash
To connect the GCenter to the Logstash ETL, it must be defined as a Syslog server in the `Admin-GCenter- Data exports` screen of the legacy web UI.
A pipeline developed by Gatewatcher makes it possible to retrieve the JSON content of the exported logs so that it can then be manipulated with the Logstash filters.
For implementation, see the Export data to a ETL Logstash via the syslog protocol.
Note
It is possible to quickly create a POC (Proof Of Concept).
For implementation, see the Quick creation of a POC Logstash.