Base syslog guide | RS

Overview

Base Software 8.3 changes what the appliance forwards over syslog to a Security Information and Event Management (SIEM) platform, and how those events are structured:

Base security events are now structured JSON, aligned with the Open Cybersecurity Schema Framework (OCSF) 1.8.0, instead of the previous free-form text.

A new event type records each application connection the appliance accepts or rejects.

When a destination becomes unreachable, the appliance now retries every 10 seconds (previously value was 60), so forwarding resumes sooner after a network interruption.

Cloud-managed appliances forward the Security category only, over TLS. On-premises appliances additionally offer the HTTP and Auth categories, and UDP, BSD, and TLS transports.

🚧

Important information

For on-premises only, appliances can now forward web-server access logs and OS-level authentication events in addition to security events, using a new Log category setting per destination.

ℹ️

  • Syslog is the transport method the appliance uses to deliver events.
  • SIEM is the platform that typically consumes them. Not every forwarded message is JSON, for more information, see Message format.

Upgrade impact

When an appliance already forwarding to a syslog server is upgraded to Base Software 8.3, its Base security events change automatically, with no configuration change:

  • Facility and program tag change: From facility local0 / tag BG to facility user / tag user. You should update SIEM pipelines that route or filter on the old facility or tag to match the program name (tag) user where user here is the syslog program name, not an operating-system user.
  • The message body becomes JSON: Update SIEM parsing built on the previous text format.
  • Only Base security events are affected: Installed-application events keep their existing tag and format.
  • No new category is enabled by the upgrade: HTTP and Auth remain opt-in.

©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.