Configuration and firewall settings for CylanceGUARD syslog mirroring
To allow communication between
BlackBerrysyslog mirroring servers and your organization's syslog servers, you need to configure your organization's firewall to allow connections from the appropriate
BlackBerryIP addresses. Additionally, you need the FQDN (or IP) address and port of your organization's syslog servers, which needs to present a signed, TLS-enabled, server certificate to receive syslog messages. If your organization requires mTLS authentication, you need to provide a signed client certificate to
BlackBerry. The following table lists the configuration details, such as the IP addresses that you should allow based on your assigned region for the
Cylance Endpoint Securitymanagement console, as well as information about how to generate an mTLS client certificate for
For assistance with setting up syslog mirroring for your organization, visit https://myaccount.blackberry.com/ and open a case for
CylanceGUARDanalyst will work with your organization to complete the configuration.
Allow the source IP address (from
Based on your assigned region, configure your firewall to allow connections from the appropriate IP address from
Destination address and port number
You need the FQDN (or IP) address and port number of your organization's syslog server that will receive the syslog messages. A signed, TLS-enabled, server certificate is required to establish a connection for syslog mirroring.
TLS encrypted syslog over TCP
mTLS authentication (optional)
If mTLS authentication is required for your organization, you need to generate an mTLS client certificate and provide it to
When generating the mTLS client certificate:
Processing the header of the forwarded syslog event
Syslog events that are forwarded to your organization's syslog servers have an extra header, in addition to the header of the original event. The header for the original event provides the accurate date and time of the event. You can configure your organization's system to process the extra header, which has the date and time of when the message was forwarded.
The extra header is in RFC5424 format and is bolded in the example below:
Prior to the November 2022 update, the extra header was in RFC3164 format and is bolded in the example below: