DEV Community

Sharon
Sharon

Posted on

3 1 1 1 1

Real-Time Attack Monitoring with SafeLine: Setting Up Syslog Integration

To gain better visibility into real-time web attacks, SafeLine supports forwarding detailed logs via Syslog. This allows you to integrate SafeLine with third-party monitoring platforms like SIEM or log aggregators.

🔧 How to Configure Syslog in SafeLine

1. Enable Syslog Forwarding

Navigate to the System page in the SafeLine dashboard. Under Syslog Settings, input the required server address and port. SafeLine uses UDP protocol and follows the RFC-5424 standard for log formatting.

Note: Make sure your firewall allows UDP traffic to the specified Syslog server.

Image description

2. Verify Syslog Connectivity

Once configured, click the Test button. If the Syslog server receives a message like the following, your setup is working correctly:

<30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.
Enter fullscreen mode Exit fullscreen mode

📝 SafeLine Syslog Log Format

SafeLine outputs logs in structured JSON format, making them easy to parse and analyze. Each log entry contains detailed context about HTTP requests, including attack events, request metadata, and enforcement actions.

Here’s an example of a typical Syslog message:

{
  "scheme": "http",
  "src_ip": "12.123.123.123",
  "src_port": 53008,
  "socket_ip": "10.2.71.103",
  "upstream_addr": "10.2.34.20",
  "req_start_time": 1712819316749,
  "rsp_start_time": null,
  "req_end_time": 1712819316749,
  "rsp_end_time": null,
  "host": "safeline-ce.chaitin.net",
  "method": "GET",
  "query_string": "",
  "event_id": "32be0ce3ba6c44be9ed7e1235f9eebab",
  "session": "",
  "site_uuid": "35",
  "site_url": "http://safeline-ce.chaitin.net:8083",
  "req_detector_name": "1276d0f467e4",
  "req_detect_time": 286,
  "req_proxy_name": "16912fe30d8f",
  "req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "req_location": "urlpath",
  "req_payload": "",
  "req_decode_path": "",
  "req_rule_module": "m_rule",
  "req_http_body_is_truncate": 0,
  "rsp_http_body_is_truncate": 0,
  "req_skynet_rule_id_list": [65595, 65595],
  "http_body_is_abandoned": 0,
  "country": "US",
  "province": "",
  "city": "",
  "timestamp": 1712819316,
  "payload": "",
  "location": "urlpath",
  "rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "decode_path": "",
  "cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==",
  "user_agent": "PostmanRuntime/7.28.4",
  "referer": "",
  "timestamp_human": "2024-04-11 15:08:36",
  "resp_reason_phrase": "",
  "module": "m_rule",
  "reason": "",
  "proxy_name": "16912fe30d8f",
  "node": "1276d0f467e4",
  "dest_port": 8083,
  "dest_ip": "10.2.34.20",
  "urlpath": "/webshell.php",
  "protocol": "http",
  "attack_type": "backdoor",
  "risk_level": "high",
  "action": "deny",
  "req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n",
  "body": "",
  "req_block_reason": "web",
  "req_attack_type": "backdoor",
  "req_risk_level": "high",
  "req_action": "deny"
}

Enter fullscreen mode Exit fullscreen mode

This rich data includes:

  • Source and destination IPs and ports
  • Requested URL and HTTP method
  • Attack type and risk level
  • Rule/module triggered
  • Enforcement action (e.g., deny)
  • Full raw headers and request metadata

📊 Why Use Syslog with SafeLine?

By integrating Syslog:

  • You centralize your WAF logs with existing monitoring tools
  • You gain real-time insight into threat patterns
  • You can trigger alerts or automated responses using external systems

🔗 Resources:

SafeLine’s Syslog support ensures seamless integration with your security infrastructure — empowering you to stay ahead of threats with actionable data.

Sentry blog image

How I fixed 20 seconds of lag for every user in just 20 minutes.

Our AI agent was running 10-20 seconds slower than it should, impacting both our own developers and our early adopters. See how I used Sentry Profiling to fix it in record time.

Read more

Top comments (0)

Heroku

The AI PaaS for deploying, managing, and scaling apps.

Heroku tackles the toil — patching and upgrading, 24/7 ops and security, build systems, failovers, and more. Stay focused on building great data-driven applications.

Get Started

👋 Kindness is contagious

If this **helped, please leave a ❤️ or a friendly comment!

Okay