When configuring a "Log to Syslog Server" Response Rule in DLP you may want to configure the message outgoing to your Syslog server to be formatted in CEF (Common Event Format). This article describes how to achieve this in a few steps.
Release : 15.8, 16.0
Format of the message is specified manually. To match a specific format, such as CEF, it needs to be manually configured to match it.
1. In the Enforce Console, navigate to Manage -> Policies -> Repose Rules
2. Create a response rule and add action "Log to Syslog Server", or edit an existing response rule with the action already configured.
3. Specify the Host, Port, Protocol and TLS Client authentication when applicable
4. Populate the Message field with a CEF formatted entry. You can use the example below, or use it as a base line for your own, depending on what information you want to reach the Syslog server.
The CEF:0 in the beginning of the message is a common CEF prefix and it will be used by the Syslog server to identify the message as CEF. The remainder of the example message contains a couple static fields, such as "Broadcom", "DLP, or "16.0". You may modify those as needed. The rest of the message consists of common Incident variables. $VARIABLE_NAME$ will be replaced by actual data from the incident as the message is sent out to the Syslog server.
CEF:0|Broadcom|DLP|16.0|ruleID|$POLICY$|5|INCIDENT_ID=$INCIDENT_ID$ APPLICATION_USER=$APPLICATION_USER$ ENDPOINT_MACHINE=$ENDPOINT_MACHINE$ ENDPOINT_USERNAME=$ENDPOINT_USERNAME$ MACHINE_IP=$MACHINE_IP$ SEVERITY=$SEVERITY$ BLOCKED=$BLOCKED$
5. Specify the level (severity) of the message.
6. Save the changes and add the response rule to a Policy.