Skip Navigation

Configuration and firewall settings for
CylanceMDR
syslog mirroring

To allow communication between
BlackBerry
syslog mirroring servers and your organization's syslog servers, you need to configure your organization's firewall to allow connections from the appropriate
BlackBerry
IP addresses. Additionally, you need the FQDN (or IP) address and port of your organization's syslog servers, which needs to present a signed, TLS-enabled, server certificate to receive syslog messages. If your organization requires mTLS authentication, you need to provide a signed client certificate to
BlackBerry
. The following table lists the configuration details, such as the IP addresses that you should allow based on your assigned region for the
Cylance Endpoint Security
management console, as well as information about how to generate an mTLS client certificate for
BlackBerry
.
For assistance with setting up syslog mirroring for your organization, visit https://myaccount.blackberry.com/ and open a case for
CylanceMDR
. A
CylanceMDR
analyst will work with your organization to complete the configuration.
Requirement
Description
Allow the source IP address (from
BlackBerry
)
Based on your assigned region, configure your firewall to allow connections from the appropriate IP address from
BlackBerry
:
  • US: 52.202.215.1
  • EU: 52.29.124.76
  • JP: 35.73.65.169
  • AU: 54.206.75.195
  • SA: 54.232.154.173
Destination address and port number
You need the FQDN (or IP) address and port number of your organization's syslog server that will receive the syslog messages. A signed, TLS-enabled, server certificate is required to establish a connection for syslog mirroring. 
Protocol
TLS encrypted syslog over TCP
mTLS authentication (optional)
If mTLS authentication is required for your organization, you need to generate an mTLS client certificate and provide it to
BlackBerry
.
When generating the mTLS client certificate:
  • Use the certificate signing request (.csr) that
    BlackBerry
    provides to your organization.
  • Verify that TLS Web Server Authentication and TLS Web Client Authentication are present when signing the client certificate. Also, use the same certificate authority as your organization's syslog server.
#example command to generate a mTLS client certificate openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in blackberry.csr -out blackberry.crt -days 3650
Processing the header of the forwarded syslog event
Syslog events that are forwarded to your organization's syslog servers have an extra header, in addition to the header of the original event. The header for the original event provides the accurate date and time of the event. You can configure your organization's system to process the extra header, which has the date and time of when the message was forwarded.
The extra header is in RFC5424 format and is bolded in the example below:
2022-09-08T00:25:00.000Z 11.11.111.11 CylancePROTECT[-]:
1138 <44>1 2022-09-08T00:24:57.000000+00:00 sysloghost CylancePROTECT - - [5555abcd-abcd-wxyz-a123-12345abcdef] Event Type: NetworkThreat, Event Name: blocked connection, Eco Id: AbC/AaaaaaBBBcc0DeFGhIJ=, User: …
Prior to the November 2022 update, the extra header was in RFC3164 format and is bolded in the example below:
<13> Sep 08 00:25:00 11.11.111.11 CylancePROTECT[-]:
1138 <44>1 2022-09-08T00:24:57.000000+00:00 sysloghost CylancePROTECT - - [5555abcd-abcd-wxyz-a123-12345abcdef] Event Type: NetworkThreat, Event Name: blocked connection, Eco Id: AbC/AaaaaaBBBcc0DeFGhIJ=, User: …