If you need to synchronize SafeLine attack logs to third‑party servers in real time, you can use SafeLine's Syslog feature.
Enable Syslog
- Go to the System page in SafeLine.
- Configure the Syslog option and save the settings.
SafeLine Syslog uses UDP for transmission and follows the RFC‑5424 message format.
Testing the Configuration
After completing the Syslog configuration, click Test.
If the Syslog server receives a message like the following, the configuration is successful:
<30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.
SafeLine Syslog Event Format Specification
SafeLine sends a JSON payload with rich event details. Example:
{
"scheme": "http", // HTTP protocol
"src_ip": "12.123.123.123", // Source IP address
"src_port": 53008, // Source port
"socket_ip": "10.2.71.103", // Socket IP address
"upstream_addr": "10.2.34.20", // Upstream address
"req_start_time": 1712819316749, // Request start time
"rsp_start_time": null, // Response start time
"req_end_time": 1712819316749, // Request end time
"rsp_end_time": null, // Response end time
"host": "safeline-ce.chaitin.net",// Host name
"method": "GET", // Request method is GET
"query_string": "", // Query string
"event_id": "32be0ce3ba6c44be9ed7e1235f9eebab", // Event ID
"session": "", // Session
"site_uuid": "35", // Site UUID
"site_url": "http://safeline-ce.chaitin.net:8083", // Site URL
"req_detector_name": "1276d0f467e4", // Request detector name
"req_detect_time": 286, // Request detection time
"req_proxy_name": "16912fe30d8f", // Request proxy name
"req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3", // Request rule ID
"req_location": "urlpath", // Request location is URL path
"req_payload": "", // Request payload is empty
"req_decode_path": "", // Request decode path
"req_rule_module": "m_rule", // Request rule module is m_rule
"req_http_body_is_truncate": 0, // Request HTTP body
"rsp_http_body_is_truncate": 0, // Response HTTP body
"req_skynet_rule_id_list": [ // Request Skynet rule ID list
65595,
65595
],
"http_body_is_abandoned": 0, // HTTP body
"country": "US", // Country
"province": "", // Province
"city": "", // City
"timestamp": 1712819316, // Timestamp
"payload": "",
"location": "urlpath", // Location is URL path
"rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3", // Rule ID
"decode_path": "", // Decode path
"cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==", // Cookie
"user_agent": "PostmanRuntime/7.28.4", // User agent
"referer": "", // Referer
"timestamp_human": "2024-04-11 15:08:36", // Human-readable timestamp
"resp_reason_phrase": "", // Response
"module": "m_rule", // Module is m_rule
"reason": "", // Reason
"proxy_name": "16912fe30d8f", // Proxy name
"node": "1276d0f467e4", // Node
"dest_port": 8083, // Destination port
"dest_ip": "10.2.34.20", // Destination IP address
"urlpath": "/webshell.php", // URL path
"protocol": "http", // Protocol is HTTP
"attack_type": "backdoor", // Attack type
"risk_level": "high", // Risk level
"action": "deny", // Action
"req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n", // Raw request header
"body": "", // Body
"req_block_reason": "web", // Request block reason
"req_attack_type": "backdoor", // Request attack type
"req_risk_level": "high", // Request risk level
"req_action": "deny" // Action
}
Official Website: https://ly.safepoint.cloud/eGtfrcF
Live Demo: https:https://ly.safepoint.cloud/DQywpL7
Top comments (0)