System policy Syslog connector¶
Syslog connector - a special policy allowing to display data collected according to the specified policy into the file - /var/log/syslog
This can be useful in case you want to export data for integration with a SIEM or BI system for further analysis of data aggregated in StaffCop.
By default the policy Syslog connector is situated in the section Filters -> Policies -> System policies.
This policy is disabled by default.
You should open the settings of the policy to enable it, then specify the export parameters on the Filter tab.
For example, you can specify Triggered filter - Incident as a parameter.
After this action when processing events and this policy (each 5 minutes) the events of this kind will go into the file /etc/log/syslog
support@ubuntu:~$ grep -i staffcop /var/log/syslog
Jan 29 12:53:44 ubuntu staffcop: time="Jan 29 09:53:09" event="InterceptedFile" computer="NB0202" user="user" app="None" data="Clipboard.png"
Jan 29 12:57:52 ubuntu staffcop: time="Jan 29 09:57:28" event="InterceptedFile" computer="NB0202" user="user" app="snippingtool.exe" data="Clipboard.png"
Jan 29 12:57:52 ubuntu staffcop: time="Jan 29 09:57:26" event="InterceptedFile" computer="NB0202" user="user" app="snippingtool.exe" data="Clipboard.png"
Jan 29 12:59:38 ubuntu staffcop: time="Jan 29 09:59:11" event="InterceptedFile" computer="NB0202" user="user" app="snippingtool.exe" data="Clipboard.png"
Jan 29 12:59:38 ubuntu staffcop: time="Jan 29 09:59:10" event="InterceptedFile" computer="NB0202" user="user" app="snippingtool.exe" data="Clipboard.png"
Jan 29 12:59:38 ubuntu staffcop: time="Jan 29 09:59:08" event="InterceptedFile" computer="NB0202" user="user" app="snippingtool.exe" data="Clipboard.png"
Jan 29 12:59:38 ubuntu staffcop: time="Jan 29 09:59:06" event="InterceptedFile" computer="NB0202" user="user" app="snippingtool.exe" data="Clipboard.png"
Jan 29 12:59:38 ubuntu staffcop: time="Jan 29 09:59:03" event="InterceptedFile" computer="NB0202" user="user" app="snippingtool.exe" data="Clipboard.png"
It means that the policy Syslog connector has worked properly and now the collected data can be exported with the help of the SYSLOG-grabber of the SIEM or send to a remote rsyslog-server.