Syslog Sender

Overview


Use the Syslog Sender integration to send messages and mirror incident War Room entries to Syslog.

Use Cases


  • Send messages to Syslog via TCP or UDP.
  • Mirror incident war room entries to Syslog.

Configure Syslog Sender on Demisto


Usage example for rsyslog

To allow sending messages to rsyslog via Demisto, the following lines have to be in the rsyslog configuration:

For TCP:

module(load="imtcp")
input(type="imtcp" port="<port>")

For UDP:

module(load="imudp")
input(type="imudp" port="<port>")

Integration configuration

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Syslog Sender.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • IP Address (e.g. 127.0.0.1)
    • Port
    • Protocol (TCP / UDP)
    • Minimum severity of incidents to send messages on
    • Log level to send
    • Facility
    • Long running instance. Required for investigation mirroring.
    • Incident type
  4. Click Test to validate the URLs, token, and connection.

Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. mirror-investigation 2. send-notification

1. mirror-investigation


Mirrors the investigation's War Room to syslog.

Base Command

mirror-investigation

Input
Argument NameDescriptionRequired
typeThe mirroring type. Can be "all", which mirrors everything, "chat", which mirrors only chats (not commands), or "none", which stops all mirroring.Optional
Context Output

There is no context output for this command.

Command Example

!mirror-investigation

Human Readable Output

Investigation mirrored successfully.

2. send-notification


Sends a message to syslog.

Base Command

send-notification

Input
Argument NameDescriptionRequired
messageThe message content.Optional
entryAn entry ID to send as a link.Optional
ignoreAddURLWhether to include a URL to the relevant component in Demisto. Can be "true" or "false". The default value is "false'.Optional
levelLog level to send. Can be "DEBUG", "INFO", "WARNING", "ERROR", or "CRITICAL".Optional
Context Output

There is no context output for this command.

Command Example

!send-notification message=Test ignoreAddURL=true

Human Readable Output

Message sent to Syslog successfully.

3. syslog-send


Send a message to Syslog

Base Command

syslog-send

Input
Argument NameDescriptionRequired
messageThe message content.Optional
levelThe log level to send. Can be "DEBUG", "INFO", "WARNING", "ERROR", or "CRITICAL".Optional
addressThe Syslog server address.Optional
protocolThe protocol to useOptional
portThe Syslog server port (required for TCP or UDP protocols).Optional
facilityThe Syslog facility.Optional
Context Output

There is no context output for this command.

Command Example

!syslog-send address=127.0.0.1 port=514 protocol=TCP message=yo level=ERROR

Human Readable Output

Message sent to Syslog successfully.

Troubleshooting


Make sure you can access the Syslog server on the provided IP address and the port is open. If you're experiencing further issues, contact us at support@demisto.com

Demo Video