If you use Splunk or other log management tool, it is possible to export the alert logs from our WAF directly to there via syslog (UDP). This option is only available for customers on the Enterprise plan and you can contact your account manager if you wish to enable this option.
To get started, you need to go to your Splunk dashboard and setup a new data input (under Settings->Data Input). In there, choose an UDP input and create a new listener on any port you wish. This document from Splunk explains how to do so:
Receiving Sucuri Events
Once you have your Splunk dashboard configured, you need to contact our support team or account manager and provide them with the following information:
- IP address of your splunk server - UDP port chosen - Sites you wish to have the alerts forwarded
We will configure the forwarder on our end within 24 hours and start sending the alerts to your server. We will also provide our IP address to be allowed (every other should be blocked on that specific listener).
The alerts will be send via the Syslog format, following the OSSEC alert structure:
Mar 4 13:49:29 SOURCEIP Mar 4 13:52:22 hostname ossec: Alert Level: 5; Rule: 100222 - Web server 400 error code (via POST).; Location: edgeserver->/var/log/nginx/domain.access.log; srcip: 126.96.36.199 / Country; 188.8.131.52 - - [04/Mar/2016:13:49:26 -0500] "POST / HTTP/1.1" 404 357 "http://domain" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"
Which can be easily parsed on Splunks end.