Real-Time Attack Monitoring with SafeLine: Setting Up Syslog Integration

#cybersecurity #webdev #opensource #waf

To gain better visibility into real-time web attacks, SafeLine supports forwarding detailed logs via Syslog. This allows you to integrate SafeLine with third-party monitoring platforms like SIEM or log aggregators.

🔧 How to Configure Syslog in SafeLine

1. Enable Syslog Forwarding

Navigate to the System page in the SafeLine dashboard. Under Syslog Settings, input the required server address and port. SafeLine uses UDP protocol and follows the RFC-5424 standard for log formatting.

Note: Make sure your firewall allows UDP traffic to the specified Syslog server.

2. Verify Syslog Connectivity

Once configured, click the Test button. If the Syslog server receives a message like the following, your setup is working correctly:

<30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.

📝 SafeLine Syslog Log Format

SafeLine outputs logs in structured JSON format, making them easy to parse and analyze. Each log entry contains detailed context about HTTP requests, including attack events, request metadata, and enforcement actions.

Here’s an example of a typical Syslog message:

{
  "scheme": "http",
  "src_ip": "12.123.123.123",
  "src_port": 53008,
  "socket_ip": "10.2.71.103",
  "upstream_addr": "10.2.34.20",
  "req_start_time": 1712819316749,
  "rsp_start_time": null,
  "req_end_time": 1712819316749,
  "rsp_end_time": null,
  "host": "safeline-ce.chaitin.net",
  "method": "GET",
  "query_string": "",
  "event_id": "32be0ce3ba6c44be9ed7e1235f9eebab",
  "session": "",
  "site_uuid": "35",
  "site_url": "http://safeline-ce.chaitin.net:8083",
  "req_detector_name": "1276d0f467e4",
  "req_detect_time": 286,
  "req_proxy_name": "16912fe30d8f",
  "req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "req_location": "urlpath",
  "req_payload": "",
  "req_decode_path": "",
  "req_rule_module": "m_rule",
  "req_http_body_is_truncate": 0,
  "rsp_http_body_is_truncate": 0,
  "req_skynet_rule_id_list": [65595, 65595],
  "http_body_is_abandoned": 0,
  "country": "US",
  "province": "",
  "city": "",
  "timestamp": 1712819316,
  "payload": "",
  "location": "urlpath",
  "rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "decode_path": "",
  "cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==",
  "user_agent": "PostmanRuntime/7.28.4",
  "referer": "",
  "timestamp_human": "2024-04-11 15:08:36",
  "resp_reason_phrase": "",
  "module": "m_rule",
  "reason": "",
  "proxy_name": "16912fe30d8f",
  "node": "1276d0f467e4",
  "dest_port": 8083,
  "dest_ip": "10.2.34.20",
  "urlpath": "/webshell.php",
  "protocol": "http",
  "attack_type": "backdoor",
  "risk_level": "high",
  "action": "deny",
  "req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n",
  "body": "",
  "req_block_reason": "web",
  "req_attack_type": "backdoor",
  "req_risk_level": "high",
  "req_action": "deny"
}

This rich data includes:

Source and destination IPs and ports
Requested URL and HTTP method
Attack type and risk level
Rule/module triggered
Enforcement action (e.g., deny)
Full raw headers and request metadata

📊 Why Use Syslog with SafeLine?

By integrating Syslog:

You centralize your WAF logs with existing monitoring tools
You gain real-time insight into threat patterns
You can trigger alerts or automated responses using external systems

🔗 Resources:

SafeLine’s Syslog support ensures seamless integration with your security infrastructure — empowering you to stay ahead of threats with actionable data.