Stream event data to a SIEM/SOC or other destination
Reblaze integrates with a wide range of SIEM [Security Information and Events Management] and SOC [Security Operation Center] solutions. Most of our enterprise clients stream Reblaze events to their SoC, such as ArcSight, RSA, IBM, and Splunk.
Event streaming is done by creating one or more Log Exporters via the API.
Each active Log Exporter streams events continually, in near-real time. (Reblaze gathers events for a few seconds, or until a certain amount of data has been accumulated, and then sends them all together. The latency between the actual events occurring and their receipt at the destination will generally be less than 30 seconds.)
Data streaming
Reblaze sends logs using the Syslog RFC 5424 protocol.
The available transport protocols are:
TCP
TCP + TLS (requires SSL certificate)
UDP (not MVP)
Data format
By default, event messages are only sent for requests blocked by Reblaze.
The following requests are not included in the event stream:
Requests passed by Reblaze (unless the Log Exporter is in "all" mode)
Requests challenged by Reblaze, but not blocked
Requests blocked by the origin
Each line is structured as follows:
<PRI>VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG
...with these fields:
Each message body contains the following fields, separated by spaces, in the order shown. Strings are enclosed in double quotes.
Last updated