How to Configure the Syslog Collector

Learn how to send and analyze syslog data from your applications, systems, or devices directly into DigitalStakeout XTI for centralized monitoring.

How to Configure the Syslog Collector

The Syslog Collector in DigitalStakeout XTI allows you to forward syslogs from external applications, servers, and network devices directly into the platform. This feature supports centralized logging, operational insight, and real-time security analysis.


Use Cases

  • 🔐 Security Operations (SOC) — Ingest firewall, IDS/IPS, or endpoint logs for correlation
  • 🧠 Threat Detection — Spot anomalies and indicators of compromise in real time
  • 📋 Compliance Auditing — Retain logs for HIPAA, PCI-DSS, or ISO27001 audit readiness
  • ⚙️ Infrastructure Monitoring — Track events from routers, switches, and system daemons

Setup Overview

To activate syslog collection:

  1. Configure a Syslog Collector inside XTI
  2. Point your device or application to the collector endpoint
  3. Monitor and analyze incoming logs in the XTI Console

Step-by-Step Configuration

1. Create a New Collector

  • Navigate to Setup → Collectors
  • Click Add Collector
  • Select Syslog Collector

2. Define Settings

FieldDescription
Collector NameName your collector for easy filtering (e.g., vpn_logs_1)
StatusSet to Enabled to start accepting data
Expires On(Optional) Set a date to auto-deactivate the collector

After saving, XTI will generate the Syslog Endpoint Address you’ll use in your device or application config.


3. Configure the Sender (Device or App)

Set your device to forward syslogs to the XTI-provided endpoint. Common formats:

  • Protocol: UDP or TCP
  • Port: Provided by XTI
  • Syslog Format: RFC 3164 or RFC 5424 preferred

Example (Linux CLI):

logger -n YOUR_XTI_SYSLOG_HOST -P YOUR_PORT "Test log from server1"

Example (/etc/rsyslog.conf):

*.* @YOUR_XTI_SYSLOG_HOST:YOUR_PORT

Ensure your network allows outbound traffic to the collector endpoint.


Log Analysis in XTI

Each syslog event appears in the Console with:

  • Timestamp
  • Source IP or hostname
  • Severity level
  • Parsed message content
  • Linked tags and alerts (if configured)

Use filters to pivot on IP, tags, severity, or custom fields.


Best Practices

  • 🧩 Tag your collectors by system type, site, or risk category
  • 🔐 Restrict sender IPs using firewall rules for secure delivery
  • 🔄 Rotate collectors when decommissioning assets or systems
  • 📊 Correlate with feeds using Keyword Feed or Presence Feed for enriched alerts
  • Test setup with test log lines or controlled event triggers before go-live

Compliance & Responsibility

⚠️

You are responsible for ensuring that logs sent to DigitalStakeout do not violate any internal or external privacy or regulatory requirements.

  • Do not forward unauthorized or personal data unless legally approved
  • Maintain access controls on log-producing systems
  • Validate retention policies to ensure compliance with organizational requirements

Example Scenarios

  • Forward UTM logs from Fortinet or Palo Alto to detect blocked IP attempts
  • Aggregate syslogs from Linux servers into XTI for centralized visibility
  • Pipe web server logs for keyword alerting and external abuse patterns
  • Monitor VPN connections or auth events for anomaly detection

🔗

Want to explore integration with third-party SIEMs or cloud firewalls?
(Contact your DigitalStakeout administrator or support for Syslog integration best practices.)