SIEM Logs

Introduces information about SIEM log rules.

Introduction

Unified Content Secure Server (UCSS) uses SIEM servers (Security Information and Event Management servers) to record system logs, alerts, and other security logs, and supports sending customized log content to multiple servers. This allows administrators to perform real-time event monitoring, historical analysis, and emergency handling.

Select System > Basic Settings > SIEM to enter the SIEM log rules list page. The added SIEM servers are displayed in the list, along with information such as name, description, status, server, transport, port, creation time, and creator.

The SIEM function is disabled by default globally. The function can be enabled by sliding the status bar.

Basic Information

A SIEM log rule includes the following basic information.
  • Name - Enter the name which is identical from other items.
    Note: The name field supports Chinese characters, English characters, numbers, and certain special characters. You cannot save the item if an unsupported character is entered.
  • Description - Describe the use of the item.
    Tip: The description field should contain all necessary information that the security administrator needs to manage the item in the long run.
    Note: The entered name cannot be exactly the same name as an existing or predefined item.
  • Status - Click on the side button to enable or disable the item.

SIEM Settings

A SIEM log rule includes the following information related to SIEM server settings.
  1. Hostname/IP: Enter the IP address of the SIEM server.
  2. Port: Enter the port number of the SIEM server (default port 514).
  3. Transport Method: Select the transport protocol, supporting UDP and TCP.
    Note: When the transport format is TCP, choose whether to enable a secure connection (SSL) to encrypt the sent information.

    After configuration, click the Send Test Message button to verify the connectivity of the Syslog server.

  4. Delimiter Settings: (Optional) Choose whether to set a custom delimiter for log content.
  5. Null Value Settings: (Optional) Choose whether to send null values N/A to the log server.

Selecting Content to Send to SIEM Server

The following content can be configured in a SIEM log rule to be sent to the SIEM server.
  • System Logs: Send the selected log field content of system logs from Unified Content Secure Server (UCSS) and all registered devices to the server.
  • Network Events: Send the selected log field content of network event logs to the server.
  • Discovery Events: Send the selected log field content of discovery event logs to the server.
  • Endpoint Events: Send the selected log field content of endpoint event logs to the server.
  • Mobile Events: Send the selected log field content of mobile event logs to the server.
  • ASWG Proxy Logs: Send the selected log field content of Advanced Secure Web Gateway (ASWG) proxy logs to the server.
  • Email Logs: Send the selected log field content of email logs from Unified Content Secure Server (UCSS) and all registered devices to the server.
  • Email Connection Logs: Send the selected log field content of email connection logs from Unified Content Secure Server (UCSS) and all registered devices to the server.
  • API Traffic Logs: Send the selected log field content of API traffic logs to the server.
  • Audit Logs: Send the selected log field content of audit logs from Unified Content Secure Server (UCSS) to the server.