Help CenterNote: Due to limitations of Syslog, it could take up to 10 minutes for the Syslog Ingester to become active after setup.
A Syslog Ingester is a tool for receiving log data from various devices within an environment using the Syslog Protocol. ThreatLocker now provides a means of applying a Syslog Ingester directly to machines in your organization, which will collect Syslog messages and send them to the Unified Audit. This will give administrators within your organization a more concise way of seeing and interpreting data, which is already made possible by our inclusion of the Unified Audit.
Creating an Ingester Group
To create and download a Syslog Ingester, the first step is to create a new computer group in your organization. To do this, navigate to the 'Devices' page using the left side of the portal.
Select the' Groups' tab in the top right corner of the 'Devices' page.
On the 'Groups' page, select the '+ Computer Group' button in the left corner.
A side panel titled 'Create Computer Group' will now open. From here, insert a 'Computer Group Name'. For this example, we will name the Computer Group 'Syslog'.
Next, select the dropdown menu under 'Computer Group Type' and select 'Ingester'.
The Heartbeat Interval can be changed from the default of 60 seconds, but this is not necessary. Once all information has been entered, select the 'Create' button at the bottom of the page.
Your Syslog Ingester group should now be fully set up.
Installing the Syslog Ingester
Once your Group has been created, select the 'Install Computer' button. This button can be found in the top right corner of every page of the ThreatLocker portal.
It can also be found in the top left corner of the 'Devices' page.
Once selected, a pop-up window titled 'Download Installer' will open. Keep the 'Select your deployment method' dropdown on 'Manual Deployment' from here. In the 'Computer Group' dropdown, select your newly created Ingester Group.
Selecting a group identified as an 'Ingester' will provide you with a button to begin the download for the 'Ingester Installer'. Select this button to download the Ingester.
Run the installer file on the machine as normal. Once your installation has finished and the stub installer has been properly installed, your Syslog Ingester will appear on your 'Devices' page on the ThreatLocker portal.
Configuring the Syslog Ingester With Agent Settings
Once the Syslog Ingester has been downloaded onto the machine, navigate to the 'Agent Settings' page.
From here, select the '+ New Setting' button from the page's top left corner.
Selecting this button will open a side panel titled 'Create Settings'. From here, select the 'Listener Configurations' setting type.
Selecting this option will change the 'Applies To' options to only the groups with the 'Ingester' group type. You can choose your preferred computer or group from here.
Under the 'Parameters' section, you will now be given an area to input your Listener Configurations.
- Listener IP Address
- Port Number
- Action Type - Allows you to select between two options:
- Network
- Other
- Source Type - Allows you to select between three options:
- General SysLog
- Big-IP
- Meraki
- Source - Syslog Listener asset name.
- The source will automatically populate as 'SysLog'.
- This is the name that will appear in the Unified Audit.
- Allows you to add a new listener.
- Selecting this option will create another Listener Configurations section to input new information.
Select the 'Save' button at the bottom of the page when you have finished entering all of this information.
Once this has been appropriately configured, you will receive logs from the Syslog Ingester to your Unified Audit.