Syslog connector (on-premises) configuration

Procedure

1. In the Trend Vision One console, go to Workflow and Automation → Third-Party Integration.
2. Click Syslog Connector (On-premises).
3. In the Syslog Connector (On-premises) screen, enable Syslog Connector (On-premises) .
4. Select the data to send to your syslog server(s).
   • Workbench alerts
   • Observed Attack Techniques
     If you select this data type, you can select one or more of the following event severity levels:
     • Critical
     • High
     • Medium
   • Audit logs
     If you select this data type, you can select one or more of the following log types:
     • Account
     • System

   Note You must select at least one data type.

5. Click Connect Syslog Server.
6. In the Syslog Server Connection panel, configure the following settings.

   Setting	Description
   Server address	Specify the IP address or FQDN for your syslog server.
   Syslog format	Select the syslog format. Note Syslog Connector (On-premises) currently only supports Common Event Format (CEF).
   Protocol	Select the connection protocol.
   Port	Specify the port. Default port settings: SSL/TLS: 6514 TCP: 601 UDP: 514
   Security Vendor	(Optional) Specify the name of the SIEM vendor.

7. (Optional) Select Use CA certificate to upload a CA certificate to use when connecting to the syslog server.
8. (Optional) If your syslog server requires authenticated connections, select Server requires client authentication to upload the client certificate and specify the passphrase.
9. (Optional) Select Include Company ID in each raw log.
10. Select a Service Gateway appliance with the Syslog Connector service installed from the Service Gateway drop-down list.
11. Click Test Connection to perform a connection test and verify settings.
12. Click Connect to test and save your connection settings.
13. In the Syslog Connector (On-premises) screen, click Save.