Configuration and firewall settings for Aurora Managed Endpoint Defense syslog mirroring

To allow communication between Arctic Wolf syslog mirroring servers and your organization's syslog servers, you need to configure your organization's firewall to allow connections from the appropriate Arctic Wolf IP addresses. Additionally, you need the FQDN (or IP) address and port of your organization's syslog servers, which needs to present a signed, TLS-enabled, server certificate to receive syslog messages. If your organization requires mTLS authentication, you need to provide a signed client certificate to Arctic Wolf. The following table lists the configuration details, such as the IP addresses that you should allow based on your assigned region for the Aurora Endpoint Security management console, as well as information about how to generate an mTLS client certificate for Arctic Wolf.

For assistance with setting up syslog mirroring for your organization, visit the Unified Portal and open a case for Aurora Managed Endpoint Defense. A Aurora Managed Endpoint Defense analyst will work with your organization to complete the configuration.

Requirement

Description

Allow the source IP address (from Arctic Wolf)

Based on your assigned region, configure your firewall to allow connections from the appropriate IP address from Arctic Wolf:

  • US: 52.202.215.1
  • EU: 52.29.124.76
  • JP: 35.73.65.169
  • AU: 54.206.75.195
  • SA: 54.232.154.173

Destination address and port number

You need the FQDN (or IP) address and port number of your organization's syslog server that will receive the syslog messages. A signed, TLS-enabled, server certificate is required to establish a connection for syslog mirroring. 

Protocol

TLS encrypted syslog over TCP

mTLS authentication (optional)

If mTLS authentication is required for your organization, you need to generate an mTLS client certificate and provide it to Arctic Wolf.

When generating the mTLS client certificate:

  • Use the certificate signing request (.csr) that Arctic Wolf provides to your organization.
  • Verify that TLS Web Server Authentication and TLS Web Client Authentication are present when signing the client certificate. Also, use the same certificate authority as your organization's syslog server.
CODE 
#example command to generate a mTLS client certificate
                    
openssl x509 -req -CA rootCA.crt -CAkey rootCA.key -in blackberry.csr -out blackberry.crt -days 3650

Processing the header of the forwarded syslog event

Syslog events that are forwarded to your organization's syslog servers have an extra header, in addition to the header of the original event. The header for the original event provides the accurate date and time of the event. You can configure your organization's system to process the extra header, which has the date and time of when the message was forwarded.

The extra header is in RFC5424 format and is bolded in the example below:

CODE 
2022-09-08T00:25:00.000Z 11.11.111.11 Aurora Protect[-]: 1138 <44>1 2022-09-08T00:24:57.000000+00:00 sysloghost Aurora Protect - - [5555abcd-abcd-wxyz-a123-12345abcdef] Event Type: NetworkThreat, Event Name: blocked connection, Eco Id: AbC/AaaaaaBBBcc0DeFGhIJ=, User: …

Prior to the November 2022 update, the extra header was in RFC3164 format and is bolded in the example below:

CODE 
<13> Sep 08 00:25:00 11.11.111.11 Aurora Protect[-]: 1138 <44>1 2022-09-08T00:24:57.000000+00:00 sysloghost Aurora Protect - - [5555abcd-abcd-wxyz-a123-12345abcdef] Event Type: NetworkThreat, Event Name: blocked connection, Eco Id: AbC/AaaaaaBBBcc0DeFGhIJ=, User: …