Does this information look incorrect or out-of-date? Please contact us at support@socos.io.
In addition to the built-in reports available in Malwarebytes Nebula, you can send threat-related events to your solution for security insights, compliance, and visibility. This article provides the steps required to set up Syslog for Malwarebytes Nebula.
The Malwarebytes events flow follows this order:
- Endpoints report threat detection, quarantine, and other events to Malwarebytes Nebula.
- Malwarebytes Syslog Communicator Endpoint pulls events from Malwarebytes Nebula.
- Communication Endpoint forwards events to Syslog server in CEF format.
- Active subscription or trial for a Malwarebytes Nebula platform product:
- Malwarebytes Endpoint Detection and Response
- Malwarebytes Endpoint Protection
- Malwarebytes Incident Response
- Network access between one of your Malwarebytes Syslog communication endpoints and SIEM or Syslog server. TCP over port 514 is used by default.
- Go to Settings > Syslog Logging.
- Click Add. Promote one of your Windows endpoints as the Syslog communication endpoint.
- In the top-right corner, click Syslog Settings.
- Fill in the following information, then click Save.
- IP Address/Host: IP or hostname of your Syslog server.
- Port: Port you have specified on your Syslog server.
- Protocol: Select either TCP or UDP protocol.
- Severity: Choose a Severity from the list. This determines the Severity of all Malwarebytes events sent to Syslog.
- Communication Interval (Minutes): Determines how often the communication endpoint gathers Syslog data from the Malwarebytes server. If the endpoint is unable to contact Malwarebytes, it buffers data from the last 24 hours. Data older than 24 hours is not sent to Syslog.
- Navigate to Endpoints. Click on the Syslog communication endpoint you assigned in Step 2.
- In the Agent Information section, the SIEM version number displays. This confirms the SIEM plugin has activated on the endpoint.
The endpoint transfers data to Syslog without further configuration.
If you need to change your Syslog communication endpoint, perform the following:
- Go to Settings > Syslog Logging.
- Click Remove to demote the existing endpoint.
- Click Add to promote a new endpoint. See the steps above in the Configuration section.
You may temporarily demote a communication endpoint using the On/Off toggle on this screen. Temporarily demoting a communication endpoint can be useful when troubleshooting your Syslog settings.
https://support.malwarebytes.com/hc/en-us/articles/360039018553-Configure-Syslog-in-Malwarebytes-Nebula