Skip to main content

REST APIs 25.2.10

Showing Rule ID in Syslog

For large customers handling 10K+ messages per second, including rule IDs in the Syslog events will substantially increase the volume of recorded data.

New Feature: Added the organization-level feature flag rule_info_exposure_to_syslog (disabled by default) in release 25.1.0. This flag controls whether rule ID information is included in syslog messages.

Adding the Rule ID to Syslog Events

To add the rule IDs to the syslog events, the API optional_features was changed by adding the new property rule_info_exposure_to_syslog:

{
  "$schema": "http://json-schema.org/draft-04/schema#",
  "type": "array",
  "items": {
    "oneOf": [
      {
        "type": "object",
        "additionalProperties": false,
        "required": [
          "name",
          "enabled"
        ],
        "properties": {
          "name": {
            "description": "Name of the feature",
            "type": "string",
            "enum": [
              "ip_forwarding_firewall_setting",
              "ui_analytics",
              "illumination_classic",
              "ransomware_readiness_dashboard",
              "per_rule_flow_log_setting",
              "lightning_default",
              "collector_scanner_filters",
              "corporate_ips_groups",
              "labels_editing_warning_for_enforcement_mode",
              "label_based_network_detection",
              "cloudsecure_enabled",
              "windows_outbound_process_enforcement",
              "rule_based_label_mapping",
              "core_insights",
              "rule_info_exposure_to_syslog"
            ]
  ==============================================

To enable this feature flag, set the firewall_settings.enable_all_rule_hit_count_enabled option. This will instruct the VEN to send the rule IDs and the traffic flow payload to the PCE.

PUT /api/v2/orgs/:org_id/optional_features
payload
[  
    {    
        name: "rule_info_exposure_to_syslog",    
        enabled: true  
    }
]
Enabling the Rule Data

Before implementing the property rule_info_exposure_to_syslog , you must update the firewall settings and set the flag enable_all_rule_hit_count_enabled=true;.

This can be done using API or PCE console.

Setting the flag via the PCE console is explained in Events Administration Guide.

To set the flag enable_all_rule_hit_count_enabled via API, use the following command:

curl -u api_${ILO_API_KEY_ID}:${ILO_API_KEY_SECRET} -H "Content-Type: application/json" -X PUT -d '{"rule_hit_count_enabled_scopes": [[]]}' https://${ILO_SERVER}/api/v2/orgs/${ILO_ORG_ID}/sec_policy/draft/firewall_settings