2.6.4. Syslog servers

2.6.4.1. Introduction

The Syslog protocol enables the export of detection-related data from the GCenter to remote Syslog servers.

Example of remote servers:

A SIEM
A Splunk SIEM
ETL Logstash

The number of Syslog servers is limited to two.

The data to be exported can be:

Alerts or
Alerts and metadata

This data can be filtered in the screen of Filtering Parameters.

Note

No GCenter or GCap system data is affected by this export.

Finally the data can be encrypted: this encryption can be defined in the screen Encryption.

For details on data management, see Data use.

2.6.4.2. SIEM

To connect the GCenter to a SIEM, it must be defined as a Syslog server in the `Admin-GCenter- Data exports` screen of the legacy web UI.

For implementation, see the Export data to a SIEM via the syslog protocol.

2.6.4.3. SIEM Splunk

To connect the GCenter to a Splunk SIEM, the SIEM must be defined as a Syslog server in the `Admin-GCenter- Data exports` screen of the legacy web UI.

For implementation, see the Export data to a SPLUNK SIEM via the syslog protocol.

2.6.4.4. Logstash

To connect the GCenter to the Logstash ETL, it must be defined as a Syslog server in the `Admin-GCenter- Data exports` screen of the legacy web UI.
A pipeline developed by Gatewatcher makes it possible to retrieve the JSON content of the exported logs so that it can then be manipulated with the Logstash filters.
For implementation, see the Export data to a ETL Logstash via the syslog protocol.

Note

It is possible to quickly create a POC (Proof Of Concept).

For implementation, see the Quick creation of a POC Logstash.