At Vectra AI, we continuously work with our customers to understand key product requirements and necessities through a healthy flow of customer feedback. One of the key requirements identified is the ability to ingest Vectra AI’s integrated attack signal known as Attack Signal IntelligenceTM into customer SIEM deployments so they can operationalize the solution into their pre-established SOC processes. This is key to ensure that customers get the most value out of their deployment, and why we invest heavily to make sure that our signal can be ingested anywhere with any technology.
Over the past year, we have released numerous end-to-end technology integrations that enable our customers to ingest Vectra AI’s integrated signal into SIEM deployments, including:
- Splunk Integration for Vectra AI Platform
- Qradar Integration for Vectra AI Platform
- Microsoft Sentinel Integration for Vectra AI Platform
There are many more to come, but we understand the need for a turnkey solution that can work with any syslog-compatible SIEM or data lake.
That is why, today, we are happy to announce the release of the Vectra AI Platform Syslog Connector which can collect all events using the API and send them to any syslog server. The solution was developed to be turnkey, scalable, portable and reliable.
Specifically, the Vectra AI Platform Syslog Connector was designed to help:
- Collect every event from the Vectra AI Platform by polling the API (detection, scoring and audits).
- Store and transform events to be compliant with syslog protocols (RFC 5234).
- Send events to a syslog server (TCP, UDP or TLS).
The fact is, we live in a world where technology will always continue to evolve — with that comes new logging and monitoring as well as a constant stream of new cloud technologies — all having the potential to impact the usage and perceived relevance of traditional syslog. Nevertheless, syslog still plays a crucial role in many environments for its simplicity and versatility. Syslog will remain a fundamental protocol for many years to come.
Vectra AI Platform Syslog Connector Architecture
To be portable and convenient, we choose a containerized solution that can run in a Windows or Linux environment.
Here are some of the highlights of the container solution:
- Portable (control of versions and dependencies within each container).
- "Easy button" with Docker Compose and flat configuration file.
- Robust scaling and queuing solution with RabbitMQ.
- Local disk buffer for data resilience.
- Pre-build container in Docker Hub (Vectra app).
We released this project as open source in our GitHub account, making it easy to review, fork or report any issues or enhancement requests.
How to get started?
First, you need a system that has Docker and Docker Compose installed. Docker Compose is not mandatory but highly recommended as it makes the setup much easier. Then, from a configuration standpoint, you need:
- Base URL of your Vectra AI Platform
- API client credentials (ID and secret)
- Syslog server information (IP address/DNS name + protocol + port)
Note that for syslog over TLS, you would need the syslog server certificate.
Once you have that information in hand, clone the repository:
git clone https://github.com/vectranetworks/siem-connector.git
There are 2 configuration files that need to be edited:
- docker-compose.yml file to configure the Vectra tenant URL and API credentials.
- config.json file to configure the syslog server information as well as scheduler. We recommend using "* * * * *” to run every minute for each endpoint.
The last step is to run Docker Compose to start the application:
We made it easy to access the log of the application as it is directly accessible in the “logs” folder:
Additional information regarding the setup and common error messages can be found on our support website.
And you can find all of the Vectra AI Platform Syslog Connector resources through the links below: