Many networks today use a centralized log aggregation tool to collect and view data across the enterprise. Sandfly is designed to work with these tools to send alerts over syslog.
Sandfly Sends Rich Structured Data to Syslog
The syslog alerts Sandfly sends is rich structured data. Meaning that Sandfly sends the exact same information to the syslog destination as you would see in the Sandfly UI natively. This means that you can setup Sandfly to monitor your hosts, and you can use your existing monitoring tools to view alerts without needing to look at the Sandfly UI outside of Sandfly configuration tasks.
Even further, the data Sandfly sends contains extended attributes that can allow you to search on a variety of keywords about the data, status of the alert, alert type and other important pieces of information.
IDEA: Generate Test Alerts To See Syslog Output Once you set Sandfly up to send syslog output, it may be useful to generate some alerts so that Sandfly can send them to your syslog destination to make sure it is working. If you want to do a quick test, go onto a host and run the following command: mkdir /tmp/... This will make a suspicious directory under /tmp called "..." When you run Sandfly against this host you will see an alert activation for a suspicious directory under /tmp. This alert will be sent to your syslog server if you set it up correctly. After you see this alert, be sure to do a "rmdir /tmp/..." to get rid of the directory or you will get repeated alarms from Sandfly about the suspicious entry.
Adding a Syslog Destination
Adding a Syslog Notification
Adding a syslog destination is simple. Click on the Add Syslog Notification button and enter the following information:
- Name - A readable reference name for you of what the syslog destination is.
- Hostname - Hostname or IP address of the syslog destination.
- UDP Port - The syslog UDP port (default is 514).
- Include 'Pass' Results - Send all results or only the alarm and error results?
NOTE: Allow Syslog UDP Port Access Be sure your packet filter on the syslog system allows UDP traffic from the Sandfly server or you will not see any syslog data.
Click the Add Syslog Notification button and the syslog destination is now active.