Syslog Forwarding

You can configure your scanner appliances to forward Syslog messages (found in the/var/log/messages Syslog stream) to your specified remote Syslog server.

Prior to scanner version 4.1, only scan status messages were transmitted to a remote syslog server.

With the release of scanner version 4.1, all scanner logs, including scanning-related messages, general system log messages, and auto-update logs from /var/log/messages, are now sent to a remote syslog server.

This feature can be enabled for the subscription by any user with a Manager user role. Once enabled, Syslog forwarding is on for all scanner appliances (virtual and physical) currently in the subscription and for new scanners that get added later.

Prerequisites

To use the Syslog Forwarding feature, the following prerequisites must be met:

  • The remote Syslog server must be accessible from the scanner's LAN, native VLAN, or WAN gateways.

  • To enable Syslog Forwarding, you must have Manager user privileges.

How to Enable Syslog Forwarding

To enable Syslog forwarding, perform the following steps from the Qualys Enterprise TruRisk™ Platform:

Scans Setup Syslog Forwarding

  1. Navigate to VM/VMDR application.
  2. Go to Scans > Setup > Syslog Forwarding
  3. Select the option Enable Syslog Forwarding and provide details for the remote syslog server, including the protocol (TCP or UDP), port number (default is 514), and either the IP address (IPv4 or IPv6) or DNS hostname.
  4. When you are done, click Save.

Syslog Forwarding Config

Example:

Syslog message from Scanner version 3.10 and earlier:

Syslog Message Example.

Syslog message from Scanner version 4.1 and higher:

Non Scanning Logs

-----------------Non Scanning logs ---------------
2025-03-27T13:34:51+00:00 nm-qvsa-4 ScanD[XXXXX]: Sending heartbeat message (capacity=93&session_id=81042659&session_seq=66) to jobd/SJMS URL https://<qualys_base_url>:443
2025-03-27T13:34:51+00:00 nm-qvsa-4 ScanD[XXXXX]: SSL connection cert info: ISSUER: [ /C=US/O=Qualys, Inc./OU=Operations/CN=Qualys Issuing CA - G1 ] SUBJECT: [ /CN=*.<qualys_base_url>/C=US/ST=California/L=Foster City/O=Qualys, Inc./OU=Engineering/emailAddress=abc-xyz@qualys.com ] VALIDITY_NOT_BEFORE: [ 240826095109Z (August 26 09:51:09 2024) ] VALIDITY_NOT_AFTER: [ 250826095108Z (August 26 09:51:08 2025) ]
2025-03-27T13:34:51+00:00 nm-qvsa-4 ScanD[XXXXX]: SSL connection cert info: SERIAL_NUMBER: [ 2406AB0E1DADC10EE5802295BBDExxxxxxxxC1212 ] SHA1_FINGERPRINT: [ 95:A6:F1:CC:CA:D8:DD:68:C6:CB:42:E9:XX:XX:XX:XX:XX:XX:XX:XX ]

Scanning Logs


------- Scanning Logs ---------
2025-03-27T13:40:57+00:00 nm-qvsa-4 ScanD[XXXXX]: Recieved Katana event [ JOB_ID: XXXXXX:1 | EVENT_MSG: SCAN:STATUSUPDATE:0:95 ]
2025-03-27T13:40:57+00:00 nm-qvsa-4 ScanD[XXXXX]: Recieved Katana event [ JOB_ID: XXXXXX:1 | EVENT: DELETEDIRTREE ]
2025-03-27T13:40:57+00:00 nm-qvsa-4 katana[XXXXX]: Adding fd 8, task -1
2025-03-27T13:40:57+00:00 nm-qvsa-4 ScanD[XXXXX]: Recieved Katana event [ JOB_ID: XXXXXX:1 | EVENT_MSG: SCAN:STATUSUPDATE:95:152 ]
2025-03-27T13:40:57+00:00 nm-qvsa-4 katana[XXXXX]: Adding fd 4, task -2
2025-03-27T13:40:57+00:00 nm-qvsa-4 ScanD[XXXXX]: Recieved Katana event [ JOB_ID: XXXXXX:1 | EVENT_MSG: SCAN:FRAGMENTSIZE:XXXXX ]
2025-03-27T13:40:57+00:00 nm-qvsa-4 ScanD[XXXXX]: Recieved Katana event [ JOB_ID: XXXXXX:1 | EVENT_MSG: SCAN:PARALLELMLS:1 ]
2025-03-27T13:40:57+00:00 nm-qvsa-4 katana[XXXXX]: ML: SLICEID='XXXXXX:1' SCANNER='qualys-scanner.XXXX'' IPV4='10.XX.X.XXX' CAT='TARGET' EVENT='START'

Autoupdate and Other Logs from Scanner on Syslog Server


------------- Autoupdate and other logs from scanner on rsyslog server---------------
2025-04-03T08:59:46+00:00 nm-qvsa-4 autoupdate[XXXXXX]: [start:iscan-7,qualys,qa]
2025-04-03T08:59:46+00:00 nm-qvsa-4 autoupdate[XXXXXX]: [lock]
2025-04-03T08:59:51+00:00 nm-qvsa-4 statusd[XXXXXX]: Processed 8 probes, 0 err in 0 sec (load 0.08) on iteration 285.
2025-04-03T08:59:56+00:00 nm-qvsa-4 autoupdate[XXXXXX]: [unlock]
2025-04-03T08:59:56+00:00 nm-qvsa-4 autoupdate[XXXXXXX]: [stop]
2025-04-03T09:00:01+00:00 nm-qvsa-4 tagger[XXXX]: log_system_stats@3128: MemAvail:15650/15980M SwapUsed:0/8175M Slab:69/102M Load:0.07 0.04 0.01 1/318/1/0 Interval:30.00sec CPU:0.25%us 0.00%ni 0.25%sy 99.50%id 0.00%wa 0.00%hi 0.00%si 0.00%st intr:935.56/sec ctxt:1290.89/sec
2025-04-03T09:00:01+00:00 nm-qvsa-4 tagger[XXXX]: log_system_stats@XXXX: sockets: used 120 TCP: inuse 7 orphan 0 tw 9 alloc 10 mem 0 UDP: inuse 3 mem 4 RAW: inuse 0 TCP6: inuse 2 UDP6: inuse 1 RAW6: inuse 0

© 2025 Qualys, Inc. All rights reserved. Privacy Policy.