5 Replies Latest reply on Jul 20, 2017 8:07 AM by ricardoworth1

    Sending with Syslog

    gregory25 Rookie

      I know that there was an upgrade in the new Ivanti 2017 package that made it possible for us to send Antivirus information with the use of Syslog. Is there any documentation on this and how to go about it?

        • 1. Re: Sending with Syslog
          phoffmann SupportEmployee

          That's an enhancement to alerting in general - nothing specific to AV.

           

          It's a new action in the alerting module entirely -- see the screenshot here to help guide you:

           

          The rest is just chosing what kind of alerts you want this to trigger off of.

          • 2. Re: Sending with Syslog
            gregory25 Rookie

            Ok I see, Thank you!! I will take a look at that.

            • 3. Re: Sending with Syslog
              JeremyG Apprentice

              Can you clarify a few things about this?  Prepping for our 2017 upgrade, and this is a huge win with our security team:

               

              • Are the syslogs sent direct from the agent?  or from the Core Serer?
              • Is it using TCP or UDP syslog?   Standard ports?
              • Are there any definitions associated with this for our SIEM to be able to interpret them?
              • 4. Re: Sending with Syslog
                phoffmann SupportEmployee

                Any alerting action would be from the side of the Core server (clients send data / alerts -- Core is the one that knows how to respond / what to do).

                 

                In regards to the other items -- don't know. Haven't played with that (don't have a SIEM server or so) ... so can't answer those things. Sorry

                • 5. Re: Sending with Syslog
                  Rookie

                  We are also trying to figure this out as well. Our SIEM is able to ingest syslog via UDP/TCP on the standard ports, but needing a http destination for syslog does not seem to work. If anyone has had any success with sending them via syslog to their SIEM (specifically QRadar), I'd love to know how you have gotten it to work.