Syslog - ExtraHop
Device Details
Vendor | ExtraHop |
|---|---|
Device Type | ExtraHop Remote Syslog |
Supported Model Name/Number | Network Detection From Core to Cloud |
Supported Software Version(s) | N/A |
Collection Method | Syslog |
Configurable Log Output? | N/A |
Log Source Type | Syslog – ExtraHop |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | https://docs.extrahop.com/current/extrahop-trigger-api/#remotesyslog |
Prerequisites
To access the ExtraHop Remote Syslog, you need one of the following Web browsers:
- Microsoft Internet Explorer 11 or higher
- Mozilla Firefox
- Apple Safari
- Google Chrome
Device Configuration Checklist
- https://docs.extrahop.com/7.7/audit-log/#send-audit-log-data-to-a-remote-syslog-server
- https://docs.extrahop.com/7.7/eta-admin-ui-guide/#notifications
Currently Supported Log Types
Type | ProductVersion | Supported Schema Fields |
|---|---|---|
Alert Notification Messages | All | <severity>, <vmid>, <vendorinfo>, <subject>, <objectname>, <objecttype>, <object>, <smac>, <sip>, <rate> |
Audit Notification Messages | All | <severity>, <login>, <object>, <action>, <status>, <dip> |
Catch All | All | <severity> |
Parsed Metadata Fields
Product Field Name | LogRhythm Metadata Field | Value/Data Type |
|---|---|---|
Alert comment | <subject> | Text/ String |
Alert expression | <object> | Object |
Alert name | <vendorinfo> | Vendor Info |
Alert Value | <rate> | Numeric/Fraction |
Alert/Info | <severity> | Severity |
Details | <status> | Status |
Event id | <vmid> | Vendor Message Id |
Facility | <object> | Object |
IP | <dip> | Destination IP |
Ipaddr | <sip> | Origin IP |
Mcaddr | <smac> | Origin Mac Address |
Object name | <objectname> | Object Name |
Object type | <objecttype> | Object Type |
Operations | <action> | Actions |
User | <login> | Login |