You can configure Twistlock to send audit event records (audits) to syslog and/or stdout.
Syslog integration must be turned on manually.
Open Console, go to Manage > System > Logging, then set Syslog to Enabled.
Twistlock connects to the syslog socket on /dev/log.
Stdout integration can be enabled from the same tab.
When you enable syslog or stdout integration, you can optionally enable verbose output.
Verbose output records vulnerability and compliance issues in your environment.
It also records all process activity.
In general, enabling verbose output is not recommended because of the substantial overhead.
You can retrieve this data much more efficiently from the Twistlock API.
Nevertheless, sometimes this capability is expressly required for integration with SIEM tools.
|
Do not enable both syslog and stdout on hosts with systemd.
With systemd, anything sent to stdout gets logged to syslog.
With both syslog and stdout enabled, you would get duplicate messages in syslog.
|
1.1. Sending data over network
Writing to /dev/log sends logs to the local host’s syslog daemon.
The syslog daemon can then be optionally configured to forward those logs to a remote syslog or SIEM server.
If you don’t have access to the underlying host, you can configure Twistlock Console to send log messages directly to your remote system.
Some things to keep in mind:
-
Console sends logs directly to your remote server.
When configuring Console with the remote server, validate that the address you enter is actually reachable from the host where Console runs.
Otherwise, you risk losing log messages.
-
Because Console sends messages directly to your remote server, and not through the local syslog daemon, you don’t get some of syslog’s built-in benefits, such as buffering, which protects against network outages and service failures.
-
The classic syslog implementation sends logs over UDP.
This is considered a bad practice if your logs have any value.
UDP is connectionless.
Packets are sent to their destination without confirming that they were received.
TCP’s stateful connections and retransmission capabilities make it more appropriate for shuttling logs to a SIEM.
Procedure
-
Log into Console.
-
Go to System > Logging.
-
Set Syslog to Enabled.
-
In Send syslog messages over the network to, click Edit, and then specify a destination.