DeepFinder Syslog
SYSLOG
DeepFinder can be integrated with external systems like SIEM (Security Information and Event Management) via Syslog transmission.
Integration settings are performed in the [MANAGEMENT] > [SETTINGS] > [CHANGE SERVER CONFIG] menu.
1. LogServer Registration
Register the IP and Port of the server that will receive Syslog.
2. LogFormat Configuration
Modify the format of the detection logs to be sent if necessary. (Refer to the 'Detection Log Format Definition' table below)
3. Apply Settings (Restart Server)
After completing the settings, you must restart the Server process for the changes to take effect.
Impact of Server Process Restart
The Server Process handles communication between the Manager and Agents.
Restarting the process temporarily disconnects the Agents, but the Agent's security functions (WAF) continue to operate without interruption.
Detection logs generated during the disconnection are stored in the Agent's internal buffer and are sent to the Manager in batch upon reconnection.
Detection Log
Variable definitions used when configuring the detection log format (logformat).
| Variable | Description | Variable | Description |
|---|---|---|---|
| %A / %a | Action (Response Result) | %K | ISO country code |
| %B | HttpBody | %L | LogType |
| %b | HttpBody (Encoded) | %l | LogType (Encoded) |
| %C | Company Name | %M | Detect Msg (Detection Message) |
| %c | Company Name (Encoded) | %m | Detect Msg (Encoded) |
| %D | Domain | %N / %n | Instance ID |
| %d | Domain (Encoded) | %O | DomainGroup ID |
| %E | Parameter | %o | Company ID |
| %e | Parameter (Encoded) | %P | Pattern Name |
| %F / %f | Agent Name | %p | Pattern Name (Encoded) |
| %G | Pattern Group | %R / %r | RiskLevel |
| %g | Pattern Group (Encoded) | %S / %s | Manager IP (Agent Only) |
| %H | HttpHeader | %T / %t | LogDate |
| %h | HttpHeader (Encoded) | %U | URL |
| %I / %i | Attacker IP | %u | URL (Encoded) |
| %J / %j | Agent ID | %X / %x | Agent IP (Server Only) |
| %y | Pattern ID | %Z / %z | Detail Log URL (Server Only) |
Configuration Example
deepfinder: AlertLog|logDate:%T|Manager IP:%S|CompanyName:%C|AID:%J|InstanceID:%N|Attack IP:%I|Domain:%D|Log Type:%L|Pattern Grp:%G|Pattern Nm:%P|Action:%A|Risk Level:%R|URL:%U|Parameters:%E|Detect Msg:%M|Httpbody:%B|Httpheader:%H
Event Log
Logs recording DeepFinder system status and Agent status changes.
| Log Keyword | Description |
|---|---|
DeepFinder: SystemLog|Server_Start |
Server process start |
DeepFinder: SystemLog|Server_Stop |
Server process stop/terminate |
DeepFinder: SystemLog|Auto_Add_Agent |
Agent auto-scaling (Scale out) |
DeepFinder: SystemLog|Add_Agent |
New Agent registration |
DeepFinder: SystemLog|Agent_Connected |
Agent connected |
DeepFinder: SystemLog|Agent_Disconnected |
Agent disconnected |
DeepFinder: SystemLog|Agent_Error |
Agent error occurred (see details) |
DeepFinder: SystemLog|Threshold_CPU |
CPU threshold exceeded |
DeepFinder: SystemLog|Threshold_MEM |
Memory threshold exceeded |
DeepFinder: SystemLog|Threshold_DISK |
Disk threshold exceeded |
DeepFinder: SystemLog|Filter_Down |
Web filter log reception stopped (for a certain period) |
Agent_Error Types
- When a dump file is created in the DeepFinder log directory
- When an error related to the Agent internal DB (sqlite3) occurs
- Windows: IIS related errors (
w3wp.exeerror in Application log,WASerror/warning in System log) - Linux: When a Segment Fault occurs in Apache/Nginx
Detailed Event Log Examples
Agent Added
DeepFinder: SystemLog|Add_Agent|Agent ID:%d|Agent IP:%s|Instance ID:%s|Company ID:%d|DomainGroup ID:%d|Agent Name:%s|Msg:Agent Added
DeepFinder: SystemLog|Auto_Add_Agent|Agent ID:%d|Agent IP:%s|Instance ID:%s|Company ID:%d|DomainGroup ID:%d|Agent Name:%s|Msg:Agent Auto Added (Scale out)License Overflow
DeepFinder: SystemLog|%s_Error|%s ID:%d|%s IP:%s|Instance ID:%s|Msg:License MaxAgent overConnection Status Change
DeepFinder: SystemLog|Agent_Connected|Agent ID:%d|Agent IP:%s|Instance ID:%s|Company ID:%d|DomainGroup ID:%d|Agent Name:%s|Msg:Agent Connected
DeepFinder: SystemLog|Agent_Disconnected|Agent ID:%d|Agent IP:%s|Instance ID:%s|Company ID:%d|DomainGroup ID:%d|Agent Name:%s|Msg:Agent DisconnectedFilter Down
DeepFinder: SystemLog|Filter_Down|Agent ID:%d|Agent IP:%s|Instance ID:%s|Company ID:%d|DomainGroup ID:%d|Agent Name:%s|Msg:Msg:Filter Check : no log. more than 20 minAgent Resource Threshold
DeepFinder: SystemLog|Threshold_CPU|Agent ID:%d|Agent IP:%s|Instance ID:%s|Company ID:%d|DomainGroup ID:%d|Agent Name:%s|Msg:CPU Usage : %d >= %d
DeepFinder: SystemLog|Threshold_MEM|Agent ID:%d|Agent IP:%s|Instance ID:%s|Company ID:%d|DomainGroup ID:%d|Agent Name:%s|Msg:MEM Usage : %d >= %dServer Status
DeepFinder: Server_Status|Server ID:%d|License Expire:%s|License Max:%d|Total Agent:%d|Online Agent:%d|Msg:Agent StatusSystem Errors and Process Status
System Monitoring (DB/API Check)
# DB connection failure
DeepFinder: SystemLog|Manager_monitor|Msg: Check Postgres DB (Server IP)
# System normal
DeepFinder: SystemLog|Manager_monitor|Msg: System check completed. All systems are normal. (check serverIP:(Server IP))
# API server unresponsive (in HA config)
DeepFinder: SystemLog|Manager_monitor|Msg: No response from (HA IP) API server.Process Down
# Server Process
DeepFinder: SystemLog|Server_Error|Msg:Process dfserver MASTER not found (Server IP)
deepfinder: SystemLog|Server_Stop|Server ID:101|Msg:Main Server Stop
deepfinder: SystemLog|Server_Stop|Server ID:101|Msg:Worker Server Stop (10016)
# Postgres
deepfinder: SystemLog|Server_Error|Server ID:101|Msg:Postgresql connect failed
# ElasticSearch
deepfinder: AuditLog|Admin ID:SYSTEM|LogTime:2023-05-02 13:39:10.438067|Msg:dfserver__ElasticSearch down
DeepFinder: SystemLog|Server_Error|Msg:Process dfserver ELASTICSEARCH not found (Server IP)Manager Resource Threshold Exceeded (10s cycle)
# CPU
deepfinder: SystemLog|Manager_monitor|Msg:cpu threshold reached(10 <= 16.9 Server IP)
# Memory
deepfinder: SystemLog|Manager_monitor|Msg:mem threshold reached(10 <= 77.3 Server IP)
# Disk
deepfinder: SystemLog|Manager_monitor|Msg:DISK threshold reached(/,10 <= 20 Server IP)
Audit Log
Records administrator activity history.
Console Login/Logout
DeepFinder: AuditLog|Admin ID:2|LogTime:2022-03-26 17:59:48.679505|Msg:ID: admin Login Success
# Example
ID: test Login Success
ID: test LogoutPolicy Change
DeepFinder: AuditLog|Admin ID:2|LogTime:2022-03-26 17:48:26.846183|Msg:DomainGroup ID [12] information changed.(Group Name:AuditLog>AuditLog, Version:>, Type:iis>iis, Mode:RUN>RUN, Description:>, Default Policy:low>low, Default Action:DETECT>DENY)Template Registration
DeepFinder: AuditLog|Admin ID:2|LogTime:2022-03-26 17:49:25.331096|Msg:Security Pattern - Template registered.(Group ID: 1018, Name: This is a test., Risk: High, Pattern: test)
# Example
Security Pattern - Template group registered.(Group ID: 1001, Name: TEST Pattern Group, Risk: Low, Type:REQUEST, Description:)
Security Pattern - Template registered.(Group ID: 1001, Name: TEST, Risk: Low, Pattern: aaa)