HAProxy

When you configure HAProxy to send log data to Sheriff CSM, you can use the plugin full name as appeared in product web UI plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information

Device	Details
Vendor	HAProxy
Device Type	TCP/HTTP Load Balancer and Proxy Server
Connection Type	Syslog
Data Source Name	HAProxy
Data Source ID	1884

Integrating HAProxy

Before you configure the HAProxy integration, you must have the IP Address of the Sheriff CSM Sensor (Deputy).

To configure HAProxy to send Syslog messages to Sheriff CSM

HAProxy supports five different log formats, with several fields common among these formats. The HTTP format provides the recommended and most advanced logging features for HTTP proxies, and it provides the same information as the TCP format, along with some additional HTTP-specific field information. To enable the HTTP format option, set "option httplog" as a "frontend" configuration section parameter.

To send logs to Sheriff CSM, edit the HAProxy server configuration file (/etc/haproxy/haproxy.cfg) to include the following lines:

global
log <<Sheriff-CSM-Sensor-IP-Address>>:514 <facility>

where <facility> must be one of the 24 standard syslog facilities options:

kern
user
mail
daemon
auth
syslog
lpr
news
uucp
cron
auth2
ftp
nap
audit
alert
cron2
local0
local1
local2
local3
local4
local5
local6
local7

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Additional Resources and Troubleshooting

http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#8

For troubleshooting, refer to the vendor documentation:

https://www.haproxy.com/doc/aloha/7.0/troubleshooting/index.html

Topic revision: r7 - 29 Jun 2022, SheriffCyberSecurity

Sheriff

User Guides

Sheriff CSM

Deployment Guide

User Guide