Syslog
Integrating Keeper SIEM push to standard Syslog endpoints
Keeper supports event streaming into standard TCP Syslog collectors. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
Syslog Push
Keeper supports a standard "Syslog" push capability over TCP.
Ports
TCP Ports 514 and 6514 (TLS)
Fields Exported
"audit_event", "username", "client_version", "remote_address", "channel", "result_code", "email", "to_username", "client_version_new","username_new", "file_format", "record_uid", "folder_uid", "folder_type", "shared_folder_uid", "attachment_id", "team_uid", "role_id"
Example Payload
<165>1 2022-10-13T21:05:51.996Z keepersecurity.com keeper - - - {"record_uid":"XXX","audit_event":"fast_fill","remote_address":"12.34.56.78","category":"usage","client_version":"Browser Extensions.16.4.7","username":"[email protected]","enterprise_id":123456}
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate.
Also, ensure that your syslog server allows traffic from Keeper servers. See Firewall Configuration page.
Last modified 8mo ago