PT ISIM proView Sensor can be a source of messages sent to a syslog server on detection of new incidents. For this, you must specify the address and port of the syslog server to which PT ISIM proView Sensor will send messages, and select a transport protocol for transferring messages.
Incident messages have a severity level and the following format:
<node sending messages> : <incident date>:[incident severity level]:Created <incident ID> <incident name> incident at step <current incident step> <link to incident in web interface> <incident state> <incident start time> <IP address of incident source> <MAC address of incident source> <IP address of incident target> <MAC address of incident target> <incident group> <View Sensor node name> <incident update time> <incident type>
For example:
10.0.2.8 : 2021-11-24T08:48:11Z:[high]:Created `1171` `WannaCry activity detected` incident at step 1/1 `[https://10.0.2.8/#/incidents?id=1171]` `Open` `2021-11-24T08:48:00Z` `192.168.71.40` `00:0c:29:ed:d2:40` `192.168.71.1` `00:50:56:c0:00:01` `Attack` `ISIM Sensor` `2021-11-24T08:48:03Z` `Snort_WCry_Ransomware_Termination_URL_Call`
ptisim-httpapi service with the systemctl restart ptisim-httpapi command.User notification settings will then be sent to the specified server.You must also configure receipt of messages from PT ISIM proView Sensor on the syslog server.