If you're having trouble at any stage please contact us at email@example.com.
Compatible with SkyFormation App Version
This guide is compatible with SkyFormation App version 2.1.22 (see Get Your SkyFormation App Version). If you are using an older version of SkyFormation we highly recommend to update to the latest one.
The purpose of this guide is to detail the steps you should take to add a SIEM to the SkyFormation platform.
a. Go to SETTINGS -> SIEM INTEGRATION and press on "ADD SIEM"
b. Fill in the SIEM parameters as followed
Give this SIEM a friendly name for you to later use and refer to.
The SIEM IPv4 address or DNS name
The port in use by the SIEM to get the SkyFormation syslog events at
Choose the protocol to be used (TCP/UDP/TLS) for the syslog channel with the SIEM.
- Message Format
According to your SIEM requirements choose the syslog spec to be used. Default RFC 5424
should be used unless the deprecated RFC 3164 is must.
For RSA NetWitness use the "RFC 3164 SHORT" option.
- Activate (Only for single-tenant mode)
When SkyFormation single-tenant mode is used, SkyFormation will offer you to automatically
activate the new SIEM just added by attach it to the default-tenant. In case you do not want
to use the SIEM just added change to NO .
3. Press the "TEST CONNECTION" to send a test syslog event to the configured SIEM
You should get the below indication in case the SIEM configuration is correct and the target
SIEM have accepted the test event (only relevant in TCP/TLS case).
To double check you could also search your SIEM for a syslog/CEF event where:
cef_name = "Skyformation-test SIEM settings event"
4. Press SAVE