Authenticated Syslog Forwarding

[mgaryGCM]

I'd like to utilize your plugin for syslog forwarding to SIEM. This tool has a cloud hosted syslog collector which should be capable of receiving the logs given your formatting. The issue with this is that it currently only accepts authenticated messages, i.e. with a Token.

Do you think it would be possible to update this file (SyslogHandler.php) potentially on lines 22 & 41 to pass an authentication token? I haven't fully traced your plugin yet, but am curious if you've run into this issue or if I am misusing your tool.

I'd be happy to help with this, curious what your thoughts are.

Thank you, MG

[Pierre-Lannoy]

Hello mgaryGCM! You're the first one to ask for that and I must admit I was not aware that some services were asking for a token. In fact, it makes sense to "sort" logs when you have many different customers.

After looking for some service providers, they all do it a little differently. If we want to have this feature, I have to do it differently for each SIEM provider. So, first thing first, who is your service provider?

[mgaryGCM]

Pierre-Lannoy,

We utilize Sumo Logic for our cloud ingestion. Here is a little more data on how this data collector would work if used: https://help.sumologic.com/03Send-Data/Sources/02Sources-for-Hosted-Collectors/Cloud-Syslog-Source

It looks like the token would need to be passed with the message either in a structured data field or within the message body.

Thank you, Michael

[Pierre-Lannoy]

Thanks. I will see if it's possible - just opened a free 30-d trial ;) Nevertheless, the syslog choice is a strange choice today: very poor format in term of "information density" (limited length, no structured data). Is there a reason why you choose it? Just curious, no problem if you don't want to answer :)

[mgaryGCM]

Agreed on syslog being a little archaic. As our WordPress instances are cloud hosted we'd like to use a cloud>cloud methodology and not hop to an on-prem collector. We're somewhat limited in the types of cloud APIs available via Sumo. For this application it looks like our only method is via "HTTP Logs & Metrics" or "Cloud Syslog".

I was able to bootstrap your Slack/webhooks logger to work with the Sumo "HTTP Logs & Metrics" collector type but am also interested in the authenticated method. I would be much more comfortable sending verbose log data that's encrypted instead of obscuring user data etc and pushing via webhooks.

Also it may be worth mentioning that in Sumo, I'm able to turn unstructured data into structured in just a few minutes and automate this on ingestion.

[Pierre-Lannoy]

OK. Understood :) Just let me some days to see if I can do it with syslog on TCP... I will tell you.

[mgaryGCM]

Excellent, thank you for the help!

[Pierre-Lannoy]

Hello! I can confirm Sumo Logic cloud-syslog will be available as logger in DecaLog 1.14.0. It's now working like a charm on my test platform.

Thanks for the suggestion.

PS: if you're happy with the plugin, don't hesitate to rate-it on wp.org.

[mgaryGCM]

Excellent, thank you so much for the help! I haven't rated anything yet but would definitely be happy to in this case.

Thanks again, Michael

[Pierre-Lannoy]

Hello! 1.14.0 is released. I close this issue, don't hesitate to open new one(s) if you want to suggest plugin improvements...

[mgaryGCM]

Thank you very much, just tested and deployed this functionality into our environment.