Syslog

OneWelcome supports 2 mechanisms to make events available to client's systems:

  • Syslog Event Publisher
  • Event Report generation

Syslog Event Publisher Description

Events can be pushed to an external Syslog server or the Syslog compatible endpoint of a SIEM (Security Information and Event Management) solution. That server would be running locally on the customer's side and can aggregate events from different sources, one of which can be OneWelcome. The events that are exported through the Syslog Event Publisher are the same events that are used to populate the timelines that are part of the Self-Service UI and the Service Desk UI. These timelines may, however, filter on the event categories and event data. The Syslog Event Publisher applies no such filtering. This allows the external Syslog server or SIEM server to do analysis and reporting on a maximum set of information.

OneWelcome uses the Syslog protocol to push its events to a Syslog server. The characteristics of this integration are:

  • Events are exported ('pushed') using the Syslog protocol over TCP (Transmission Control Protocol), UDP (User Datagram Protocol), SSL/TCP.
  • Events are exported in a JSON format (as specified by RFC 8259. NOTE:* The format as specified by Syslog RFC 5424 is not supported.
  • A VPN connection needs to be set up between the OneWelcome environment and the customer's network the Syslog server is running on.
  • The events contain personal information, such data which is not encrypted. Appropriate security measures must be taken by the customer to protect the users' privacy.
  • For setting the Syslog feed up, OneWelcome will need to know the target Syslog server IP address, port number and whether it should be TCP or UDP (default setting for Syslog in general). Then, also the routing should be adjusted so that communication between OneWelcome and the Syslog Server goes via VPN.

Event Report Generation Description

Events can be published as JSON files. OneWelcome generates daily a file containing the events of the previous day. The files can be accessed through a URL (e.g. '/files') which requires a username and a password. The files, which are encrypted require an additional password for unzipping. The exported lists of event types and event attributes can be configured.

Event Description

About the events:

  • OneWelcome supports a range of events in various event categories. The event categories reflect a functional breakdown of OneWelcome's functionality (the description of these functional areas can be found in the glossary).
  • Every event has different event attributes (event data) depending on the event type.
  • The presence of event attributes may also depend on the context in which the event was generated. Different events of the same event type may differ regarding the availability of event attributes.
  • Different event types share event attributes, so events can be queried or filtered in the external Syslog server on having similar event attribute values. The most common example is filtering on userId, but also filtering on IP address is enabled.

Compatibility guidelines:

  • JSON may contain 'null' values. Future versions of OneWelcome will probably omit event attributes if no value is available. For compatibility reasons, OneWelcome advises to not depend on any processing logic on the presence of attributes having a 'null' value.
  • Future releases of OneWelcome may introduce new events, new event (sub)attributes. Any processing of OneWelcome's events should anticipate such changes to have forward compatibility for such changes. OneWelcome considers the introduction of these additional items as being 'backwards compatible'.
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
  Last updated by Stein Welberg on Jul 18, 2022
Next to read:
Event examples
On This Page
SyslogSyslog Event Publisher DescriptionEvent Report Generation DescriptionEvent Description