NGINX
This pack includes Cortex XSIAM content.
Configuration on Server Side
You need to configure your Nginx device to forward Syslog messages.
Perform the following in order to configure log forwarding:
- Log in to the Nginx device CLI console.
- Make sure that the Nginx device is configured to generate error and access logs. The default path to the logs is logs/ (the absolute path depends on the operating system and installation).
- Add the below 2 lines to Nginx configuration file:
error_log syslog:server=<syslog server hostname/IP>:<port>,facility=local7,tag=nginx,severity=error;
access_log syslog:server=<syslog server hostname/IP>:<port>,facility=local7,tag=nginx,severity=info;- In order for the config changes to take effect you need to restart the nginx service.
Pay Attention:
For timestamp ingestion, the default time zone for error logs is set to UTC (+0000), you can change the time zone according to your preference.
The supported timestamp formats from syslog messages:
- dd/MMM/yyyy:hh:mm:ss [+|-]nnnn (18/Jul/2021:10:00:00 +0000)
- yyyy/MM/dd hh:mm:ss (2020/01/19 10:00:00)
More information can be found here
Collect Events from Vendor
In order to use the collector, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings > Configuration > Data Broker > Broker VMs.
- Right-click, and select Syslog Collector > Configure.
- When configuring the Syslog Collector, set the following values:
- vendor as vendor - nginx
- product as product - nginx
