TEAM: Huntress Managed SIEM
SUMMARY: Common and frequently asked questions about Huntress Managed SIEM.
Why are my syslog messages not showing up in Huntress Managed SIEM?
Once you have designated an agent as a syslog collector, configured the software firewall on the collector endpoint, and configured your syslog source to send messages, it can take a little time for logs to appear in the console due to processing time. Here are some approximate time frames:
- Once selecting an agent to be a syslog collector, it can take up to 20 minutes for the agent to begin listening.
- Once messages have been received by the agent, as confirmed by the creation of the wbs_ file in the OS specific Rio directory, it can take up to 15 minutes for syslog data to appear in the portal.
- Windows: %PROGRAMFILES%\Huntress\Rio\tmp
- Linux: /usr/share/huntress/rio/tmp
You can view all syslog messages that are available for searching by using the following query (you may need to adjust the time scale to the left of the "Search" button):
from logs | where event.capability == syslogPlease see our Troubleshooting SIEM local syslog collection guide.
Why are my HEC or API messages not showing up in Huntress Managed SIEM?
Once you have setup your HEC or API SIEM source and setup your Huntress portal to receive those messages it can take a little time for logs to appear in the console due to processing time and sometimes due to low message activity. Some sources are inherently quieter than others so it can take some time for data to be received by Huntress, so we typically recommend a 24 hour waiting period before determining if the source is working. This guide should help if you believe the integration should be working but isn't.
Why are my OS log files not showing up in Huntress Managed SIEM?
- Review our Device Compatibility matrix to verify your OS is supported.
- Verify Rio.exe is running on your endpoint.
- Verify the endpoint has free drive space and memory. Endpoints in poor health may have difficulty uploading data.
- Contact Huntress Support, there may be a roadblock that is more visible using Huntress tools.
Why does my device show up as "Generic Syslog"?
The Huntress Agent can collect syslog messages from any device, provided they are RFC-compliant syslog messages. However, not all messages are parsed, which is the process used to make the messages and fields searchable.
There are a variety of reasons for this, but it most often comes down to message formatting. If you are sending messages from a supported device (as shown in our Source Management page) and still see them flagged as Generic it may be due to the format of the messages. Here are some steps you can take:
- Refer to our Device Configuration Guides if available for your device. Following these guides will ensure your device is sending messages in the correct format.
- If your device is not listed, please check our feedback page to see if it has already been submitted for review. If you find it, please upvote and comment on the existing entry so that you receive updates as we roll out new integrations. If it is not listed, please create a new feedback entry to let us know the specific devices you are asking us to support.
Why is my UniFi / Ubiquiti device showing up as a generic syslog device?
Our method of identification for UniFi devices is based on the messages that are sent by the device. Unfortunately, some device messages do not match the format expected and we are unable to identify them appropriately.
As of Network Application version 8.5.6, UniFi has released a new messaging format and a new naming convention for their syslog messages. We have seen most devices using the new firmware compatible with this Network Application work as expected.
If you have an AP or Switch that is showing up as a Generic Syslog device, this is currently expected behavior. We will continue to update device types and our current focus is firewall devices.