Get Demo

How to Set Up Syslog Forwarding to ThreatHawk SIEM

Guide to configuring Syslog forwarding to ThreatHawk SIEM, covering transport protocols, source setup for Linux/Windows/network devices, security, compliance, a

📅 Published: June 2026 🔐 Cybersecurity • SIEM ⏱️ 8–12 min read

To set up Syslog forwarding to ThreatHawk SIEM, you need to configure your network devices, servers, and applications to send Syslog messages to the ThreatHawk collector endpoint, typically on UDP port 514 or TCP port 6514 for encrypted transport. ThreatHawk SIEM parses, normalizes, and correlates these logs in real time for threat detection, compliance monitoring, and security operations.

Syslog is the de facto standard for logging across enterprise infrastructure—firewalls, routers, switches, Linux servers, and many security appliances all speak Syslog. Modern SIEM platforms like ThreatHawk SIEM ingest Syslog streams to build a unified view of your security telemetry. This guide covers every step of the forwarding pipeline, from source configuration to secure delivery, with best practices for enterprise SOC operations.

Prerequisites for Syslog Forwarding to ThreatHawk SIEM

Before configuring any source device, confirm that your ThreatHawk SIEM deployment is ready to receive Syslog traffic. The following components must be in place.

Component
Requirement
Notes
ThreatHawk Collector
Dedicated log collector or virtual appliance
Deployed on-premises or in cloud; supports horizontal scaling
Network Reachability
TCP/UDP ports open between sources and collector
UDP 514 (standard Syslog) or TCP 6514 (Syslog over TLS)
Syslog Protocol Support
RFC 5424 or RFC 3164
ThreatHawk parses both formats; RFC 5424 recommended for structured data
Firewall Rules
Allow inbound Syslog traffic to collector IP
Restrict source IPs to known log senders only
Time Synchronization
NTP on all devices and ThreatHawk appliance
Critical for log correlation and accurate timeline reconstruction

ThreatHawk SIEM supports both unencrypted Syslog (suitable for segmented internal networks) and encrypted transport via TLS. For production deployments, especially those subject to compliance standards automation frameworks like PCI DSS or HIPAA, TLS-encrypted Syslog forwarding is strongly recommended.

Security Note: Never expose your Syslog collector directly to the internet. If you must forward logs from remote sites, use a VPN tunnel or a dedicated log shipper with TLS termination. ThreatHawk SIEM can accept forwarded logs from a Syslog proxy or aggregator in a DMZ.

Syslog Transport Protocols: UDP, TCP, and TLS

Choosing the right transport protocol affects reliability, security, and performance. ThreatHawk SIEM supports all three options, but each has trade-offs relevant to enterprise SOC engineering.

Syslog over UDP (Port 514)

UDP is the original Syslog transport and remains the most widely supported option. It is connectionless, meaning there is no handshake or acknowledgment. This makes it fast and low-overhead, but also inherently unreliable—packets can be dropped without notification. Use UDP only for low-priority logs on trusted, low-latency networks where packet loss is minimal.

Syslog over TCP (Port 1468 or 601)

TCP provides delivery guarantees through acknowledgments and retransmission. This eliminates the packet loss problem of UDP. However, TCP can introduce backpressure: if the collector slows down, sources may queue or drop logs. ThreatHawk SIEM handles TCP backpressure gracefully with configurable buffer limits, but you should size your collector throughput accordingly.

Syslog over TLS (Port 6514)

For encrypted Syslog forwarding, TLS is the enterprise standard. It wraps TCP Syslog in a TLS tunnel, ensuring confidentiality and integrity of log data in transit. ThreatHawk SIEM supports mutual TLS (mTLS) for authenticating both the source and the collector. This is the recommended transport for compliance-driven environments and for any logs traversing untrusted network segments.

Transport
Default Port
Reliability
Encryption
Use Case
UDP
514
Low
None
Internal trusted networks, non-critical logs
TCP
1468 / 601
High
None
Reliable delivery within secure zones
TLS
6514
High
TLS 1.2/1.3
Compliance, cross-network, remote sites

ThreatHawk SIEM can be configured to listen on multiple ports simultaneously, allowing you to mix transports per source type. For example, you could receive UDP from internal switches and enforce TLS from cloud-based firewalls.

Configuring Syslog Forwarding on Common Source Types

The following sections provide step-by-step Syslog forwarding configuration for the most common enterprise log sources. Each example targets the ThreatHawk collector IP and port.

Linux Servers (rsyslog)

rsyslog is the default Syslog daemon on most Linux distributions. To forward logs to ThreatHawk SIEM, add a configuration file in /etc/rsyslog.d/.

1

Create the forwarding configuration

Create /etc/rsyslog.d/90-threathawk.conf with the following content for TCP forwarding:

*.* @@192.168.1.100:6514;RSYSLOG_SyslogProtocol23Format

For UDP, use a single @ symbol. The RSYSLOG_SyslogProtocol23Format template sends logs in RFC 5424 format, which ThreatHawk parses optimally.

2

Restart rsyslog and verify

Run systemctl restart rsyslog and check /var/log/syslog or /var/log/messages for connection errors. On the ThreatHawk SIEM console, verify that logs begin appearing under the relevant data source.

3

Enable TLS (optional but recommended)

For TLS forwarding, create /etc/rsyslog.d/91-threathawk-tls.conf:

global(DefaultNetstreamDriver="gtls")
$ActionSendStreamDriverMode="1" 
$ActionSendStreamDriverAuthMode="x509/name" 
$ActionSendStreamDriverPermittedPeer="threathawk-collector.yourdomain.com" 
*.* @@192.168.1.100:6514

Ensure the ThreatHawk collector's TLS certificate is trusted on the Linux host. Copy the CA certificate to /etc/rsyslog.d/ca-cert.pem and reference it in the global configuration.

Windows Servers (Windows Event Forwarding via Syslog)

Windows does not natively support Syslog. To forward Windows Event Logs to ThreatHawk SIEM, install a Windows Syslog agent or use a log shipper. ThreatHawk SIEM integrates with the ThreatHawk SIEM + SOAR agent, which handles native Windows Event Log collection and forwards it to the SIEM in Syslog format.

1

Install the ThreatHawk Windows Agent

Download and install the ThreatHawk SIEM Windows agent from the CyberSilo portal. During setup, specify the collector IP and the transport protocol (TCP/TLS). The agent collects Security, System, and Application logs and forwards them as structured Syslog messages.

2

Configure event selection

In the agent configuration, specify which Event Log channels to monitor. For compliance with DLP vs SIEM use cases, include Security log event IDs 4624 (successful logon), 4625 (failed logon), and 4688 (process creation).

3

Verify forwarding

On the ThreatHawk SIEM console, navigate to Data Sources > Windows Event Logs. You should see a live stream of Windows events with parsed fields including EventID, User, and Source IP.

Network Devices (Cisco, Palo Alto, Fortinet)

Network security appliances are among the most important Syslog sources for a SIEM. ThreatHawk SIEM includes pre-built parsers for major vendors.

1

Cisco IOS/ASA/FTD

On a Cisco device, configure Syslog forwarding with:

logging host 192.168.1.100 transport tcp port 6514
logging trap informational
logging facility syslog
logging source-interface GigabitEthernet0/1

ThreatHawk SIEM automatically parses Cisco ASA messages and maps them to the Common Event Format (CEF) schema for correlation.

2

Palo Alto Networks NGFW

Navigate to Device > Server Profiles > Syslog and create a new profile. Set the ThreatHawk collector as the server, select TCP or SSL (TLS) transport, and choose "Syslog format" as IETF (RFC 5424). Apply the profile to the security policy rules you want to log.

3

Fortinet FortiGate

In the FortiGate CLI, run:

config log syslogd setting
    set status enable
    set server "192.168.1.100"
    set port 6514
    set mode reliable
    set facility local0
    set source-ip "10.0.0.1"
end

The mode reliable option enables TCP transport. For TLS, add set secure-connection enable and upload the ThreatHawk CA certificate to the FortiGate.

Cloud and SaaS Sources (AWS, Azure, GCP)

Cloud platforms do not send native Syslog, but you can forward cloud logs to ThreatHawk SIEM via Syslog proxy or log shipper. The recommended approach uses a lightweight forwarder such as rsyslog or syslog-ng running on a cloud instance that tails cloud API logs.

For AWS CloudTrail and VPC Flow Logs, configure the ThreatHawk SIEM connector to pull logs via API, or set up a CloudWatch Logs subscription that delivers logs to a Lambda function which forwards them as Syslog to the collector. The same pattern applies to Azure Monitor and GCP Cloud Logging.

Syslog Message Format and Normalization in ThreatHawk SIEM

Raw Syslog messages arrive in different formats depending on the sending device. ThreatHawk SIEM applies automatic parsing and normalization to map fields to a consistent schema for correlation and search.

Key Syslog Fields Parsed by ThreatHawk

ThreatHawk SIEM extracts the following fields from every Syslog message:

Topical Authority Insight: A common root cause of poor SIEM correlation is inconsistent timestamp handling. ThreatHawk SIEM enforces UTC normalization at ingestion, which eliminates the confusion of mixed timezones across a distributed enterprise—a frequent weakness highlighted in analyses of weaknesses of SIEM and how to overcome them.

Handling Malformed or Non-Standard Syslog

Not all devices produce RFC-compliant Syslog. ThreatHawk SIEM includes a flexible parser chain that attempts to extract meaning from malformed messages before falling back to a default schema. You can also write custom parsing rules using the ThreatHawk parsing language for proprietary appliances.

For devices that truncate long messages (a common issue with legacy Syslog implementations), ThreatHawk SIEM supports message reassembly for TCP-based streams, ensuring that complete log entries are stored and correlated.

Securing the Syslog Pipeline to ThreatHawk SIEM

Log data often contains sensitive information, including user identities, network topologies, and application activity. Securing the forwarding pipeline is a compliance requirement under PCI DSS requirement 10.2, HIPAA §164.312(b), and SOC 2 common criteria.

TLS Certificate Management

When using Syslog over TLS, each source must trust the ThreatHawk collector's certificate. For enterprise-scale deployments, use an internal Certificate Authority (CA) to issue certificates to the collector. Distribute the CA certificate to all Syslog sources. ThreatHawk SIEM supports certificate rotation without dropping active connections.

Network Segmentation and Access Control

Place the ThreatHawk Syslog collector in a dedicated logging segment, accessible only from authorized source subnets. Use ACLs or security group rules to restrict inbound Syslog traffic to known source IP ranges. ThreatHawk SIEM can also label messages by source subnet for correlation with network context.

Rate Limiting and Log Volume Management

A misconfigured device or a denial-of-service attack can flood the Syslog collector. Configure rate limiting at both the source and collector levels. ThreatHawk SIEM provides per-source rate limiting with alerting when a source exceeds its baseline. This is particularly important when onboarding large legacy environments that may generate unexpected log volumes.

Verifying Syslog Forwarding to ThreatHawk SIEM

After configuring your sources, verify that ThreatHawk SIEM is receiving and parsing logs correctly.

Using the ThreatHawk Data Source Dashboard

Navigate to Administration > Data Sources in the ThreatHawk SIEM interface. Each configured source type (Linux Syslog, Windows Agent, Cisco, etc.) shows a live ingestion rate in events per second (EPS). A non-zero EPS confirms that messages are reaching the collector.

Testing with the logger Command

From any Linux source, send a test Syslog message:

logger -n 192.168.1.100 -P 6514 -T "ThreatHawk SIEM test message from $(hostname)"

The -T flag sends over TCP. For UDP, omit it. Then search for "ThreatHawk SIEM test message" in the ThreatHawk SIEM search interface. If it appears with the correct hostname, your pipeline is operational.

Troubleshooting Common Issues

Scaling Syslog Forwarding for Enterprise Deployments

Large enterprises often generate millions of Syslog messages per second from thousands of sources. ThreatHawk SIEM is designed to scale horizontally, but you must plan the Syslog forwarding architecture accordingly.

Using Syslog Aggregators and Load Balancers

For environments exceeding 50,000 EPS, deploy Syslog aggregators (such as syslog-ng with high-performance mode) in front of the ThreatHawk collector farm. Aggregators can deduplicate, filter, and compress Syslog messages before forwarding to the SIEM, reducing both bandwidth and storage costs.

Load balancers with Syslog awareness can distribute incoming Syslog streams across multiple ThreatHawk collectors based on source subnet or facility. This avoids single points of failure and enables maintenance windows without data loss.

Filtering Noisy or Redundant Logs

Not all Syslog messages carry security value. Infrastructure health checks, periodic status messages, and debug-level logs can consume significant collector capacity without contributing to detection. Configure source-side filtering via rsyslog property-based filters or ThreatHawk SIEM's ingestion rules to drop low-value messages before they reach the correlation engine.

Streamline Your SIEM Deployment with Expert Configuration

Setting up Syslog forwarding at enterprise scale requires careful planning across protocol selection, security, and capacity management. CyberSilo's security engineers have deployed ThreatHawk SIEM in environments with over 500,000 EPS across global distributed networks. Let our team review your logging architecture and ensure your Syslog pipeline is optimized for both cost and detection effectiveness.

Syslog Forwarding for Compliance Frameworks

Syslog forwarding is not just a technical exercise—it is a core compliance control. ThreatHawk SIEM maps incoming Syslog data directly to compliance requirements, automating evidence collection and audit reporting.

PCI DSS Requirements for Log Forwarding

PCI DSS requirement 10.2 mandates that all access to cardholder data environments is logged. Syslog forwarding to a centralized SIEM like ThreatHawk satisfies this requirement when you configure sources to send authentication logs, firewall denies, and database access events. ThreatHawk SIEM marks these events with PCI DSS tags for automated reporting.

HIPAA Audit Controls

Under HIPAA §164.312(b), covered entities must implement hardware, software, and procedural mechanisms to record and examine activity. Forwarding Syslog from all systems that access ePHI to a centralized SIEM satisfies the audit control standard. ThreatHawk SIEM provides pre-built HIPAA reports that map Syslog events to the required audit controls.

NIST 800-53 and FedRAMP Logging Requirements

For federal and government environments, NIST 800-53 control AU-3 requires that log records contain specific fields including event type, date/time, source, and outcome. ThreatHawk SIEM enforces this schema at ingestion, ensuring that all forwarded Syslog messages meet the standard before storage.

ThreatHawk SIEM's compliance automation capabilities extend beyond simple log storage. The platform correlates forwarded Syslog with user identity data from Active Directory or LDAP, enabling full audit trails for access reviews, account management, and privileged session monitoring across the Compliance Standards Automation framework.

Best Practices for Enterprise Syslog Forwarding

The following practices, drawn from real-world ThreatHawk SIEM deployments, will help you maintain a stable, secure, and high-performance Syslog pipeline.

Implement Redundant Forwarding Paths

Configure each source to forward Syslog to a primary and secondary ThreatHawk collector. Use separate network paths for redundancy. If your Syslog source supports it (rsyslog and syslog-ng both do), enable failover with queue-on-failure to buffer logs during network interruptions.

Design a Dedicated Logging Network

Separate log traffic from production data. A dedicated VLAN or VRF for Syslog traffic reduces packet loss, simplifies firewall rules, and prevents log delivery from competing with business traffic. ThreatHawk SIEM can apply metadata tags based on the VLAN ID of the incoming connection.

Monitor the Syslog Pipeline Itself

Treat the Syslog forwarding infrastructure as a critical security control that requires monitoring. ThreatHawk SIEM includes dashboard widgets that display ingestion rates, per-source volume, and error counts. Configure alerts for zero EPS from any previously active source—silent sources often indicate a configuration change or device failure that can create a blind spot.

Plan Retention with Forwarded Logs in Mind

Syslog messages can consume storage rapidly. ThreatHawk SIEM supports tiered storage policies: hot storage for real-time correlation and investigation, warm storage for 90-day compliance retention, and cold storage for 1-7 year archival. Plan your retention periods based on your compliance obligations, not just storage budget.

Executive Warning: A common failure pattern in SOC operations is assuming that Syslog forwarding is working without ongoing verification. In one enterprise assessment, ThreatHawk engineers discovered that 12% of critical security appliances had stopped forwarding logs due to certificate expiration—and the SOC had no visibility into the gap for six weeks. Implement automated pipeline health checks from day one.

Advanced Syslog Forwarding Topologies with ThreatHawk SIEM

For complex enterprises, the simple "device sends Syslog to collector" model may not suffice. ThreatHawk SIEM supports several advanced topologies.

Multi-Tenant Syslog Forwarding for MSSPs

MSSPs managing multiple customers need to segregate Syslog streams while maintaining a single SIEM platform. The ThreatHawk MSSP SIEM architecture uses tenant-aware collectors that tag incoming Syslog messages with customer identifiers. Configure each customer's devices to forward to a dedicated port or IP, and the collector automatically routes logs to the correct tenant workspace.

Syslog Proxy and Aggregation for Remote Sites

For branch offices or remote manufacturing sites with limited bandwidth, deploy a local Syslog proxy that caches and compresses logs before forwarding to the central ThreatHawk collector. The proxy can filter out informational messages, send only security-relevant events in real time, and batch the rest during off-peak hours.

Integrating Syslog Forwarding with SOAR Workflows

When ThreatHawk SIEM detects a correlation rule trigger from forwarded Syslog, it can automatically initiate a SOAR playbook. For example, repeated authentication failures from a single IP across multiple Syslog sources can trigger an automated IP block via a firewall API call. This closed-loop response is built into the ThreatHawk SIEM + SOAR solution.

Our Conclusion & Recommendation

Setting up Syslog forwarding to ThreatHawk SIEM is a foundational security engineering task, but doing it correctly at enterprise scale requires attention to protocol selection, certificate management, network design, and ongoing pipeline monitoring. The enterprises that succeed are those that treat Syslog forwarding not as a one-time configuration exercise, but as a critical data pipeline with the same reliability and security requirements as the production services it monitors.

For security leaders evaluating SIEM platforms, the ability to ingest and normalize Syslog from any source without custom development is a minimum requirement. ThreatHawk SIEM exceeds that baseline with enterprise-scale throughput, automatic normalization, built-in TLS support, and compliance mapping that turns raw Syslog into auditable evidence. Whether you are forwarding from a handful of Linux servers or from 10,000 devices across a global network, the architecture and tooling are designed to scale without sacrificing detection quality.

We recommend starting with a phased rollout: select your top ten highest-priority sources (typically firewalls, domain controllers, and critical servers), configure TLS forwarding, validate with the ThreatHawk data source dashboard, then expand to remaining sources. This approach minimizes risk while building the operational muscle for full-scale deployment.

Ready to Secure Your Log Pipeline?

Schedule a consultation with CyberSilo's SIEM engineering team. We will review your current logging architecture, recommend an optimized Sysflow forwarding plan, and demonstrate how ThreatHawk SIEM transforms raw logs into actionable threat intelligence. No obligation, no sales pitch—just expert guidance from engineers who have deployed SIEM at global scale.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!