Skip to content Skip to main navigation Skip to footer

Tag: log file configuration

v9.6.5 Release Notes for Cyfin


  • Health
    • Added new Health status page to display the current state of different components in the product through Health Modules. These modules can be configured to trigger notification alert emails when an error is detected. The following modules are currently available:
      • License Expiration – Checks the number of days left on the license and can trigger warning and error notifications based on days left.
      • Syslog Inactivity – Checks active syslog ports for data being sent and triggers alert when no data is received in a configurable time period. Module also checks for valid data being received instead of just any data and triggers different error alert accordingly.
  • Reporting
    • Dashboard
      • Visualizer
        • Added an extensive library of preconfigured charts for users to select when creating new panels.
  • Library
    • Updated product to use most recent MySQL library (8.0.33).


  • Dashboard
    • Removed “AVG Daily Usage” and “AVG Daily Ingestion” tiles because metric is not useful when combined with metric data removal as it is currently. Results include large possible negative numbers. 

v9.6.4 Release Notes for Cyfin


  • Reporting
    • Firewall Reporting
      • Palo Alto Firewall reporting now available in addition to Web data. Both types of data can be seamlessly imported and reported on in the Visualizer which has been updated to include pre-configured Firewall dashboards. * Firewall Reporting requires an upgraded license, but evaluation periods are available.
  • Data Management
    • Log Data Setup
      • Updated the location of the wizard buttons for clarity and optimized flow.
    • Log Date Types
      • Updated Sonicwall VPN to include ability to parse NetExtender VPN data.

v9.6.3 Release Notes for Cyfin


  • Data Managements
    • Log Data Setup
      • Added Microsoft Defender as a configuration option. This feature only available for Cyfin in VM environment.
  • Reporting
    • Dashboard
      • Visualizer
        • Added Dashboard level filters. This allows a filter to be applied to all panels with matching data source on the configured dashboard.
  • Usage statistics
    • Added periodic anonymous usage statistics gathering to improve customer experience.


  • Data Management
    • Import
      • Disabled auto importing of syslog enabled log configurations because stream is already automatically imported.

v9.5.1.b Release Notes for Cyfin


  • Security 
    • Updated jQuery library to version 3.6.0 which corrects security issue.
  • Log Configurations
    • Added Cisco Umbrella Export.
    • Added Fortigate Export.
    • Added Sophos Web Application.
    • Updated CheckPoint config to handle HTTPS Inspection records and URL Filtering records to sites with invalid certificates.
  • Performance
    • Sped up startup by moving template verifier and empty indices tasks to job queue.


  • Log Parser
    • Fixed parser not handling configurations that have optional header record line. 
    • Fixed issue of not using correct port field to assign protocol.
    • Properly adjusting log date by timezone adjustment in config file.
    • Correctly dealing with escape characters in log fields.
    • Sped up performance by fixing method to consolidate configurations using the same tokenizer to single parser. An error in the method to identify identical tokenizers was leading to excessive parsers and incorrect stats.
  • Log Download
    • Fix log download issue by using js window for SSL download and php for non-secure.

v9.4.9.a Release Notes for Cyfin


  • Data Management
    • Log Data Source – Wizard
      • Add ability to cancel task for auto inspecting source log data for matching to known devices log formats.
  • Help
    • Support – Log Configurations
      • Added new feature to allow for inspection of syslog data and submission to Wavecrest for analysis. A link to this new page is given during the log configuration wizard when the syslog data is not matched to any known device log format.


  • Reporting
    • Dashboard
      • The metric for “Visits” was missing from the selection in all the charts. Additionally, the Hit metric was displaying “Visits” legend label. These are now corrected.

Configuring Data Sources

In Cyfin version 9.3.1, the Log Data Source Setup wizard has been redesigned to improve the configuration of the product to locate and read your Web-use data when it is syslog data, log files, or database logs. The system will analyze your data to detect the data source format and present the most suitable data types. This allows you to select the best data type from the list and ensures that you get the best match available.

You will be able to select from the following data sources: syslog, directory-based, and database.

For syslog data, select the Internet protocol you want to use, and enter the listening port number. Click Test to start collecting data. If this is successful, you will see the number of messages received incrementing. Click Stop and then Next to continue.

For directory-based or log file data, specify the directory location of your data files. You can also enter a file name with an asterisk to filter your log files, e.g., proxy*.txt. Click Test to display the number of files found. Click Next.

The Data Source Type page is displayed.

The Type of Data drop-down field will display multiple matches. As you select a data type, the data format will be shown in the Data Preview box. Look closely at the data fields to ensure that they are correct or complete.

  • You may see incomplete data, for example, if you were expecting a user name and it is missing. Click Reanalyze to see another record sample.
  • If you need to refresh the data for any reason or are still in the process of receiving syslog messages, click Reanalyze and then select the data source type again.
  • If your firewall is not in the drop-down field, but the data of another completely matches and is in the correct columns, you may select that firewall even though it has a different name. Some firewalls share common data formats.
  • If no matches are found, all syslog and directory data types will become available in the drop-down field. You can select a different data type from the field to complete the configuration process and return at a later time to change it.
  • It is easy to add new data sources to our extensive library. If you have a new data source, need assistance with multiple matches, or have no matching files, just contact Technical Support.

Also for Syslog, you can specify a location in which to keep a local copy of your data.

For database data, the system loads and populates the Type field with database data types. The “More info” link provides setup information on your specific database. Select the type of database and complete the remaining fields. Some fields will be populated with default values.

The last step is to give the data source configuration a name. This is helpful for identification purposes, especially if you add more data source configurations later.

If you have any questions, please contact Technical Support at (321) 953-5351, Ext. 4 or

Configuring Zscaler for Cyfin Syslog

Zscaler uses a virtual machine, Nanolog Streaming Service (NSS), to stream logs from the Zscaler service and deliver them to Cyfin Syslog.

To collect logs for Zscaler Web Security, perform these steps detailed in the following sections:

  1. Configure Zscaler NSS.
  2. Connect the Zscaler NSS feed to Cyfin Syslog.


Configure Zscaler NSS

NSS is maintained and distributed by Zscaler as an Open Virtual Application (OVA). To stream logs to Cyfin Syslog, follow the steps outlined in the NSS Configuration Guide at…guration-Guide.


Connect the Zscaler NSS Feed to Cyfin Syslog

Once you have configured the Zscaler NSS, now add a feed to send logs to Cyfin Syslog using the following steps.

  1. Log into your Zscaler NSS system.
  2. Go to Administration – Settings – Nanolog Streaming Service.
  3. From the NSS Feeds tab, click Add.
  4. In the Add NSS Feed dialog:
    • Feed Name. Enter a name for your NSS feed.
    • NSS Server. Select None.
    • SIEM IP Address. Enter the Cyfin IP address.
    • Log Type. Select Web Log.
    • Feed Output Type. QRadar LEEF is the default.
    • NSS Type. NSS for Web is the default.
    • Status. Select Enabled.
    • SIEM TCP Port. Enter the Cyfin Syslog TCP port number.
    • Feed Escape Character. Leave this field blank.
    • Feed Output Format. The LEEF format is displayed.
    • User Obfuscation. Select Disabled.
    • Duplicate Logs. Disabled by default.
    • Timezone. Set to GMT by default.
  5. Click Save.

Additional Resources

Configuring Cisco Firepower logs for Cyfin Syslog

The following steps pertain to Cisco Firepower Threat Defense and are required to forward these logs to Cyfin Syslog Server:

  1. Select Devices – Platform Settings and create or edit a Firepower Threat Defense policy.
  2. Select Syslog – Syslog Server.
  3. Check the Allow user traffic to pass when TCP syslog server is down check box to allow traffic if any syslog server that is using the TCP protocol is down.
  4. Enter a size of the queue for storing syslog messages on the security appliance when syslog server is busy in the Message queue size (messages) field. The minimum is 1 message. The default is 512. Specify 0 to allow an unlimited number of messages to be queued (subject to available block memory).
  5. Click Add to add a new syslog server.
    • In the IP Address drop-down list, select a network host object that contains the IP address of the syslog server.
    • Choose the protocol (either TCP or UDP) and enter the port number for communications between the Firepower Threat Defense device and Cyfin syslog server.
    • The default ports are 514 for UDP and 1470 for TCP. Valid nondefault port values for either protocol are 1025 through 65535.
    • Check the Log messages in Cisco EMBLEM format (UDP only) check box to specify whether to log messages in Cisco EMBLEM format (available only if UDP is selected as the protocol).
    • Add the zones that contain the interfaces used to communicate with the syslog server. For interfaces not in a zone, you can type the interface name into the field below the Selected Zones/Interface list and click Add. These rules will be applied to a device only if the device includes the selected interfaces or zones.

    Note:  If the syslog server is on the network attached to the physical Management interface, you must type the name of that interface into the Interface Name field below the Selected Security Zones list and click Add. You must also configure this name (if not already configured), and an IP address, for the Diagnostic interface (edit the device from the Device Management page and select the Interfaces tab).

    • Click OK.
  1. Click Save.

You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Click here for more information from Cisco.

Additional Resources

Check Point Log Exporter

If you are running Check Point R77.30 or later, you must first use Check Point Log Exporter for exporting Check Point logs over syslog to Cyfin. Click here for the instructions from Check Point Support.

Important Notes

Commands should be run in an SSH session switched to Expert mode.


Ensure that the Log Exporter is installed on a log server for Check Point R77.30 and R80.10. Log Exporter is already integrated in R80.20.

Basic Deployment

In order to configure a Cyfin target for the logs, run the following on the log server:

cp_log_export add name cyfin_syslog target-server <cyfin_ip> target-port 1455 protocol udp format syslog –apply-now

where <cyfin_ip> is the IP address of your Cyfin server

Helpful Tools

  • To remove the exporter, run:

cp_log_export delete name cyfin_syslog –apply-now

  • To display the exporter’s status, run:

cp_log_export status name cyfin_syslog

  • To reset the current position and reexport all logs per the configuration, run:

cp_log_export reexport name cyfin_syslog

Troubleshooting Tips

If you do not see log files being exported:

  • Stop the exporter by running: cpstop
  • Then start the exporter by running: cpstart

If there is still an issue:

  • Edit $EXPORTERDIR/targets/cyfin_syslog/targetConfiguration.xml
  • Locate <log_files>1</log_files>
  • Change to <log_files></log_files>
  • Stop the exporter by running: cpstop
  • Then start the exporter by running: cpstart

Once this part is completed in Check Point, you can then open Cyfin, go to Data Management – Log Data Source – Setup, and run through the Log Data Source Setup wizard. Upon completing the Log Data Source Setup wizard, you should start to see data in the file “SyslogXXXXXXX.txt” in the log file directory that you chose in the wizard.

Additional Resources:

Unable to see Web site hits information in SonicWall

In SonicWall, if the Content Filtering Service (CFS) is enabled, but the log file is not receiving Web traffic data and therefore not showing as valid in Cyfin, then you need to check the Priority setting for “Syslog Website Accessed.”

  1. Go to Log – Settings and set the Logging Level field to “Inform.”

  1. Then under Category, go to Log – Syslog – Syslog Website Accessed.

  1. Adjust the priority to match the selected logging level.

  1. The log file should now receive Web traffic data and show as valid in Cyfin.