3.10. THOR Excludes and False-Positive Filters

In THOR you can define directory and file excludes and false positive filters. With ASGARD 2.13+ these features can be globally defined in ASGARD at Scan Control > THOR Config.

Scan Control - Global Directory Exclude and FP Filtering

Scan Control - Global Directory Exclude and FP Filtering

Warning

Be careful not to use too broad filters or excludes as this might cripple THOR's detection capabilities, if done incorrectly.

3.11. Syslog Forwarding

To configure syslog forwarding of logs, you can set the --syslog flag during scans. You have multiple options as to where you can send the logs.

Syslog Forwarding via --syslog flag

The --syslog value is constructed of the following arguments:

--syslog arguments
Argument Description Value
server The receiving server, %asgard-host% is the ASGARD which issued the Scan for the Agent FQDN or IP of remote host [1]
port Port number  
syslogtype Type of syslog format, valid formats are: DEFAULT, CEF, JSON, SYSLOGJSON, SYSLOGKV
sockettype optional, default is UDP UDP, TCP, TCPTLS
[1]The remote Host can be ASGARD or any other syslog capable system.

Examples:

  • 172.16.20.10:514:SYSLOGKV:TCP
  • rsyslog-forwarder.dom.int:514:JSON:TCP
  • arcsight.dom.int:514:CEF:UDP

If you choose to use the --syslog flag, please make sure that the necessary ports are allowed within your network/firewall. If you decide to send the logs via syslog to ASGARD, please have a look at the Rsyslog Forwarding.