Video Screencast Help

Machine IP and Username Values from Endpoint Incident to SYSLOG

Created: 09 Jan 2013 | 2 comments

I have been looking around and do not see a way to send some important information from an endpoint incident via a syslog action in a response rule, namely the "Machine IP" and "User" fields.  There are a number of correlations I would like to setup in my SIEM based on these values, but I cannot find how to get them as part of the syslog message.

My current syslog message looks like this:


Does anyone have any idea's how this can be accomplished?

Discussion Filed Under:

Comments 2 CommentsJump to latest comment

DLP Solutions2's picture

When the syslog fires.. are all of those populated?

more info:

You can also try the following, these are from the file, they may or may not work. This may require you to have some Lookups configured to use them.

Also keep in mind about the Custom Attributes, they might be able to be added to the syslog info too. You will need to experiment with this. I do know they can be used in an Email Response, so I would assume the same for a syslog response. They are called $ATTRIBUTE_24$ $ATTRIBUTE_25$. Which can be found when you mouse over the field in an incident.


incident info
message info
policy info
recipient info
    , where X is the unique index to distinguish between mutliple recipients,
sender info
server info
monitor info
status info

Please make sure to mark this as a solution

to your problem, when possible.

JN_CEC's picture

All the variables are populated with the correct information.  I added both "$ATTRIBUTE_24$" and  "$ATTRIBUTE_25$" to the syslog message, but it is not populating any data.

I also tried to setup custom attributes in the past and was unsuccessful is getting the needed data.