Base syslog guide | RS
Overview
Base Software 8.3 changes what the appliance forwards over syslog to a Security Information and Event Management (SIEM) platform, and how those events are structured:
Base security events are now structured JSON, aligned with the Open Cybersecurity Schema Framework (OCSF) 1.8.0, instead of the previous free-form text.
A new event type records each application connection the appliance accepts or rejects.
When a destination becomes unreachable, the appliance now retries every 10 seconds (previously value was 60), so forwarding resumes sooner after a network interruption.
Cloud-managed appliances forward the Security category only, over TLS. On-premises appliances additionally offer the HTTP and Auth categories, and UDP, BSD, and TLS transports.
Important informationFor on-premises only, appliances can now forward web-server access logs and OS-level authentication events in addition to security events, using a new Log category setting per destination.
- Syslog is the transport method the appliance uses to deliver events.
- SIEM is the platform that typically consumes them. Not every forwarded message is JSON, for more information, see Message format.
Upgrade impact
When an appliance already forwarding to a syslog server is upgraded to Base Software 8.3, its Base security events change automatically, with no configuration change:
- Facility and program tag change: From facility
local0/ tagBGto facilityuser/ taguser. You should update SIEM pipelines that route or filter on the old facility or tag to match the program name (tag)userwhereuserhere is the syslog program name, not an operating-system user. - The message body becomes JSON: Update SIEM parsing built on the previous text format.
- Only Base security events are affected: Installed-application events keep their existing tag and format.
- No new category is enabled by the upgrade: HTTP and Auth remain opt-in.
Updated 1 day ago