Skyhigh Security On-Premises SWG
| SamurAI [Local] Collector | SamurAI [Cloud] Collector |
|---|---|
 |
Connectivity Requirements
You must ensure the following connectivity requirements are fulfilled:
| Source | Destination | Ports | Description |
|---|---|---|---|
| Skyhigh Secure Web Gateway | SamurAI Local Collector | TCP/514 | For log transmission |
Configuring the Log Handler
You must configure the Log Handler on the Skyhigh Secure Web Gateway to output logs in CEF format expected by the SamurAI platform.
The connection must be configured to send Syslog over TCP port 514, and the maximum message size must be increased to 64KB.
There are two rules to set up. Below are the values required for each rule.
Rule Set 1
This rule constructs the CEF log payload.
Set the value to construct the following payload exactly. Be careful to include spaces where indicated:
- Rule Criteria:
Always - Action:
Continue - Events: Set
User-Defined.<CustomName>to the exact value below. Be careful to include spaces where indicated:
Set User-Defined.<CustomName> = "CEF:0|Skyhigh|Secure Web Gateway|"
+ MWG.Version
+ "|"
+ Number.ToString (Response.StatusCode)
+ "|"
+ Rules.CurrentRule.Name
+ "|2|rt="
+ String.SubString (DateTime.ToWebReporterString, 4, 3)
+ " "
+ DateTime.Date.ToString ("%DD %YYYY %hh:%mm:%ss")
+ " "
+ "application=\""
+ Application.ToString (Application.Name)
+ "\" "
+ "block_reason=\""
+ Number.ToString (Block.ID)
+ "\" "
+ "bytes_in=\""
+ Number.ToString (BytesToClient)
+ "\" "
+ "bytes_out=\""
+ Number.ToString (BytesFromClient)
+ "\" "
+ "dest_host=\""
+ URL.Host
+ "\" "
+ "dest_ip=\""
+ IP.ToString (URL.Destination.IP)
+ "\" "
+ "dest_port=\""
+ Number.ToString (URL.Port)
+ "\" "
+ "duration=\""
+ Number.ToString (Timer.TimeInTransaction)
+ "\" "
+ "file_extension=\""
+ URL.FileExtension
+ "\" "
+ "file_name=\""
+ URL.FileName
+ "\" "
+ "http_content_type=\""
+ MediaType.ToString (MediaType.FromHeader)
+ "\" "
+ "http_content_type_raw=\""
+ String.ReplaceIfEquals (Header.Request.Get ("Content-type"), " ", "-")
+ "\" "
+ "http_method=\""
+ Command.Name
+ "\" "
+ "http_referer=\""
+ String.ReplaceIfEquals (Header.Request.Get ("Referer"), " ", "-")
+ "\" "
+ "http_status_code=\""
+ Number.ToString (Response.StatusCode)
+ "\" "
+ "http_user_agent=\""
+ Header.Request.Get ("User-Agent")
+ "\" "
+ "proxy_ip=\""
+ IP.ToString (Proxy.Outbound.IP)
+ "\" "
+ "src_ip=\""
+ IP.ToString (Client.IP)
+ "\" "
+ "src_port=\""
+ Number.ToString (Proxy.Outbound.Port)
+ "\" "
+ "url=\""
+ String.ReplaceAll (URL, "=", "\\=")
+ "\" "
+ "url_port=\""
+ Number.ToString (URL.Port)
+ "\" "
+ "url_category=\""
+ List.OfCategory.ToString (URL.Categories)
+ "\" "
+ "user=\""
+ String.ReplaceAll (Authentication.UserName, " ", "-")
+ "\" "
+ "uri_path=\""
+ URL.Path
+ "\" "
+ "uri_query=\""
+ URL.ParametersString
+ "\" "
+ "uri_scheme=\""
+ URL.Protocol
+ "\" "
+ "x_forwarded_for=\""
+ String.ReplaceIfEquals (Header.Request.Get ("X-Forwarded-For"), " ", "-")
+ "\""
Rule Set 2
This rule forwards the payload created in Rule Set 1 via syslog.
The User-Defined.<CustomName> must match the custom variable name defined in Rule Set 1.
- Rule Criteria:
Always - Action:
Continue - Events:
Syslog (6, User-Defined.<CustomName>)
Configuring rsyslog.conf
You need to modify the rsyslog.conf configuration to direct the logs to the SamurAI Local Collector and configure the message size limit.
Increase the maximum message size to 64KB:
$MaxMessageSize 64k
Forward daemon.info logs via TCP to the SamurAI Local Collector over port 514. Substitute the <SamurAI Local Collector IP> placeholder with the IP address of your Local Collector.
daemon.info @@<SamurAI Local Collector IP>:514
For integrations that utilize a Local Collector where we ingest syslog only, you do not need to follow specific steps in the SamurAI MDR portal as we auto detect the vendor and product. The only reason you need to use the SamurAI MDR portal is if you need to determine the Local Collector IP address. Of course you will still need to ensure the integration is functioning! See Integrations for more information on checking status.
Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the SamurAI MDR Portal and we shall get it updated.