Red Hat SummitChapter 10. Integrating by using the syslog protocol
Syslog is an event logging protocol that applications use to send messages to a central location, such as a SIEM or a syslog collector, for data retention and security investigations. With Red Hat Advanced Cluster Security for Kubernetes, you can send alerts and audit events using the syslog protocol.
- Forwarding events by using the syslog protocol requires the Red Hat Advanced Cluster Security for Kubernetes version 3.0.52 or newer.
- When you use the syslog integration, Red Hat Advanced Cluster Security for Kubernetes forwards both violation alerts that you configure and all audit events.
- Currently, Red Hat Advanced Cluster Security for Kubernetes only supports CEF (Common Event Format).
The following steps represent a high-level workflow for integrating Red Hat Advanced Cluster Security for Kubernetes with a syslog events receiver:
- Set up a syslog events receiver to receive alerts.
- Use the receiver’s address and port number to set up notifications in the Red Hat Advanced Cluster Security for Kubernetes.
After the configuration, Red Hat Advanced Cluster Security for Kubernetes automatically sends all violations and audit events to the configured syslog receiver.
10.1. Configuring syslog integration with Red Hat Advanced Cluster Security for Kubernetes
Create a new syslog integration in Red Hat Advanced Cluster Security for Kubernetes (RHACS).
Procedure
-
In the RHACS portal, click the Platform Configuration
Integrations Notifier tab. - Select Syslog.
- Click New integration.
In the Create integration page, provide the following information:
- Enter a name for your integration.
-
Select the Logging facility value from
local0throughlocal7. - Enter your Receiver host address and Receiver port number.
Enter a value for the Maximum message size.
Enter a value between
0and1048576, which corresponds to the number of bytes used to chunk messages. You can adjust the value by using the up and down arrows in the spin button.If you do not want to chunk messages, enter
0.Select the appropriate Message format:
- If you are creating a new integration, select CEF.
- If you have an existing integration that relies on the old behavior, select CEF (legacy field order).
Select the appropriate checkboxes:
- If you are using TLS, select the Use TLS checkbox.
- If your syslog receiver uses a certificate that is not trusted, select the Disable TLS Certificate Validation (insecure) checkbox.
To add extra fields, click Add new extra field.
For example, if your syslog receiver accepts objects from multiple sources, type
sourceandrhacsin the Key and Value fields.You can filter by using the custom values in your syslog receiver to identify all alerts from RHACS.
- To send a test message to verify that the integration with your generic webhook is working, click Test.
- To create the configuration, click Save.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}