syslog

It is possible to transmit messages about various events to an external system (for example, SIEM) via the syslog-protocol.
In the "Server" field you need to specify "udp://server:port" (for the UDP protocol) or "tcp://server:port" (for the TCP protocol), also need to select the types of messages/events that will be sent to the server.

syslog-messages format description

Messages are transmitted in accordance with RFC5425 in the following form:

    SYSLOG-MSG      = HEADER SP STRUCTURED-DATA
    HEADER          = PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID
    STRUCTURED-DATA = "[" SD-ID *(SP SD-PARAM) "]"
    SD-PARAM        = PARAM-NAME "=" %d34 PARAM-VALUE %d34

In general, messages duplicate the corresponding tables in the complex database as much as possible for greater compatibility.
Message example:

<134>1 2025-01-15T10:43:48.121Z SERVER-PC stsrv - - [TReportUserEvents@60366 comp_loc="company.org" comp_name="PC-0001" user_domain="COMPANY" user_name="user1" event_time="2025-01-15T10:10:12.012Z" event_type="106" priority="1" description="\"D:\\filename.exe\" -> \"virustotal.com\""]

Description:

PRI=<134>
VERSION=1
TIMESTAMP=time in UTC of message transmission to server, but not the time of occurrence of the event! (the event may happen much earlier).
HOSTNAME=the machine name of the server from which the message is sent
APP-NAME=stsrv
PROCID=
MSGID=
SD-ID=DB_table_name@60366
Note: DB_table_name now is TReportUserEvents, TReportCompEvents, but new ones may be added in the future.
Note: @60366 – IANA identifier
PARAM-NAME=name of the database table field, some may be present or absent, depending on the table itself.

Below are the main fields and their descriptions:
comp_loc – the domain of the computer on which the event occurred (example, “company.local”)
comp_name – NetBIOS name of the computer, on which the event occurred (example, “PC-001”)
user_domain – NetBIOS domain name of logged on user, for which the event occurred (example, “COMPANY”)
user_name – user login name (example, “user1”)
event_time – event time in UTC (in general, it can differ greatly from the TIMESTAMP of the package!)
event_type – event type, see below for constants explanation appendix
priority – event priority (0 – high, 1 - regular)
description – event description in text form (UTF-8)

Appendix: event codes (event_type)

100:  "exec app from threats list"
101:  "website from threats list"
102:  "input text from threats list"
103:  "print document"
104:  "copy to flash-drive"
105:  "copy to selected folders"
106:  "file send"
107:  "flash-drive insertion"
108:  "image in clipboard"
109:  "DLP: document reading"
110:  "DLP: document in clipboard"
111:  "DLP: text in clipboard"
112:  "DLP: PrintScreen"
113:  "DLP: copy to flash-drive"
114:  "DLP: copy to selected folders"
115:  "DLP: document send"
116:  "DLP: speech"
117:  "atypical behavior"
118:  "changes in hardware/soft"
119:  "possible client removal"
120:  "no face in front of webcam"
121:  "another face in front of webcam"
122:  "more than 1 face in front of webcam"
123:  "PC shutdown was postponed"
124:  "problem on the client PC"
125:  "changing microphone state"
126:  "critical app/site"
127:  "user logon"
128:  "blacklisted app execution"
129:  "DLP: document printing"
130:  "exec forbidden Linux command"
131:  "USB-device has been disabled"
132:  "DLP: file found"
133:  "crypto-address in the clipboard"

v10.70 (build: Mar 4 2025)
Introduction +Software suite structure +Software suite installation +Software suite uninstall +Software suite update -Global settings Database users -Software suite settings General settings description -Server settings Common settings Postponed monitoring Monitoring - Screenshots Monitoring - Webcams Monitoring - Autorecording Monitoring - Printing Monitoring - Shadow copy Monitoring - File hashes Monitoring - Users online Monitoring - Global search Monitoring - Chats-calls Face recognition Text recognition (OCR) Neural network server Azure-integration Webex-integration Reports generator - Parameters Reports generator - Reports (for bosses) Reports generator - Reports (for employees) Reports generator - Saving to folder Reports generator - Sending via FTP Reports generator - Sending by e-mail Reports generator - Sending to website Reports generator - Sending to file sharing Reports generator - Threats Notifications generator - Sending by e-mail Notifications generator - Sending by SMS Notifications generator - Integration with Telegram Notifications generator - 2FA Client protection Events Regular expressions Work schedule syslog +Client settings (computer) +Client settings (user) Groups Company structure Work schedules Dossier of employees Sync with AD Risk analyzer Report templates File hashes Tariffs List of users Work with DB SQL-console Journal +Other +FAQ +Technical support	syslog It is possible to transmit messages about various events to an external system (for example, SIEM) via the syslog-protocol. In the "Server" field you need to specify "udp://server:port" (for the UDP protocol) or "tcp://server:port" (for the TCP protocol), also need to select the types of messages/events that will be sent to the server. syslog-messages format description Messages are transmitted in accordance with RFC5425 in the following form: SYSLOG-MSG = HEADER SP STRUCTURED-DATA HEADER = PRI VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID STRUCTURED-DATA = "[" SD-ID (SP SD-PARAM) "]" SD-PARAM = PARAM-NAME "=" %d34 PARAM-VALUE %d34 In general, messages duplicate the corresponding tables in the complex database as much as possible for greater compatibility. Message example: <134>1 2025-01-15T10:43:48.121Z SERVER-PC stsrv - - [TReportUserEvents@60366 comp_loc="company.org" comp_name="PC-0001" user_domain="COMPANY" user_name="user1" event_time="2025-01-15T10:10:12.012Z" event_type="106" priority="1" description="\"D:\\filename.exe\" -> \"virustotal.com\""] Description: PRI=<134> VERSION=1 TIMESTAMP=time in UTC* of message transmission to server, but not the time of occurrence of the event! (the event may happen much earlier). HOSTNAME=the machine name of the server from which the message is sent APP-NAME=stsrv PROCID= MSGID= SD-ID=DB_table_name@60366 Note: DB_table_name now is TReportUserEvents, TReportCompEvents, but new ones may be added in the future. Note: @60366 – IANA identifier PARAM-NAME=name of the database table field, some may be present or absent, depending on the table itself. Below are the main fields and their descriptions: comp_loc – the domain of the computer on which the event occurred (example, “company.local”) comp_name – NetBIOS name of the computer, on which the event occurred (example, “PC-001”) user_domain – NetBIOS domain name of logged on user, for which the event occurred (example, “COMPANY”) user_name – user login name (example, “user1”) event_time – event time in UTC (in general, it can differ greatly from the TIMESTAMP of the package!) event_type – event type, see below for constants explanation appendix priority – event priority (0 – high, 1 - regular) description – event description in text form (UTF-8) Appendix: event codes (event_type) 100: "exec app from threats list" 101: "website from threats list" 102: "input text from threats list" 103: "print document" 104: "copy to flash-drive" 105: "copy to selected folders" 106: "file send" 107: "flash-drive insertion" 108: "image in clipboard" 109: "DLP: document reading" 110: "DLP: document in clipboard" 111: "DLP: text in clipboard" 112: "DLP: PrintScreen" 113: "DLP: copy to flash-drive" 114: "DLP: copy to selected folders" 115: "DLP: document send" 116: "DLP: speech" 117: "atypical behavior" 118: "changes in hardware/soft" 119: "possible client removal" 120: "no face in front of webcam" 121: "another face in front of webcam" 122: "more than 1 face in front of webcam" 123: "PC shutdown was postponed" 124: "problem on the client PC" 125: "changing microphone state" 126: "critical app/site" 127: "user logon" 128: "blacklisted app execution" 129: "DLP: document printing" 130: "exec forbidden Linux command" 131: "USB-device has been disabled" 132: "DLP: file found" 133: "crypto-address in the clipboard"
© KICKIDLER DLP