Skip to main content
Skip table of contents

Create a Remote Log Relay Source - Cylance


  • The user has a Log Relay device online

  • The user is not blocking traffic on port TCP and UDP port 14015 between the Cylance and the Log Relay


  1. Upon activation of your account, you will receive an email with your login information for the Console.

  2. Click the link in the email and go to the login page.

  3. Login to the Console as an Administrator.

  4. Select Settings > Application.

  5. Record the displayed token. Download the installer by clicking either Windows or Linux or Mac OS X and then selecting the installation format.

  6. Use the token when prompted during installation.

Note: CylancePROTECT Agent 1400 or higher must be installed on the endpoint before installing CylanceOPTICS for Windows.

For more info on CylanceOPTICS click here



  1. Click on Settings, then Application submenu.

  2. When the page loads, scroll down to the INTEGRATIONS section of the page.

  3. The following sections will provide details and descriptions for each sub heading in this section


Syslog events have standard fields like timestamp, severity level, facility and a Cylance-specific payload (message). Examples provided in this section only contain the Cylance-specific message

Application Control

This option is only visible to Tenant's that have the Application Control feature enabled. Application Control events represent actions occurring when the device is in AppControl mode. Checking this option will send a message to the Syslog server whenever an attempt is made to modify or copy an executable file, or when an attempt to made to execute a file from an external device or network location.

Example Message for Deny PE File Change

CylancePROTECT: Event Type: AppControl, Event Name:
pechange, Device Name: WIN-7entSh64, IP Address:
(, Action: PEFileChange, Action Type:
Deny, File Path:
C:\Users\admin\AppData\Local\Temp\MyInstaller.exe, SHA256:

Example Message for Deny Execution from External Drive

CylancePROTECT: Event Type: AppControl, Event Name:
executionfromexternaldrives, Device Name: WIN-7entSh64, IP
Address: (, Action: PEFileChange, Action
Type: Allow, File Path: \\shared1\psexec.exe, SHA256:
Audit Log

When this option is checked, the audit log of user actions performed in the CylancePROTECT Web console will be sent to the Syslog server. Audit Log events will always appear in the Audit Log screen even when this option is unchecked.

Example Message for Audit Log being forwarded to Syslog

CylancePROTECT: Event Type: AuditLog, Event Name:
ThreatGlobalQuarantine, Message: SHA256:
2EDC1F1573BFA; Reason: Manually blacklisting these 2
threats., User: (

When this option is checked, these device events will be logged to the Syslog server:

  1. When a new device is registered (you'll always get 2 messages for this: Registration and SystemSecurity).

    1. Example Message for Device Registered Event

      CylancePROTECT: Event Type: Device, Event Name:
      Registration, Device Name: WIN-55NATVQHBUU
      CylancePROTECT: Event Type: Device, Event Name:
      SystemSecurity, Device Name: WIN-55NATVQHBUU, Agent
      Version: 1.1.1270.58, IP Address: (, MAC
      Address: (005056881877), Logged On Users: (WIN55NATVQHBUU\Administrator), OS: Microsoft Windows Server
      2008 R2 Standard Service Pack 1 x64 6.1.7601
  2. When a device is removed.

    1. Example Message for Device Removed Event

      CylancePROTECT: Event Type: Device, Event Name: Device Removed, Device
      Names: (test-xp-test), User: (
  3. When a device's policy, zone, name, or logging level has changed.

    1. Example Message for Device Updated Event

      CylancePROTECT: Event Type: Device, Event Name: Device
      Updated, Device Message: Renamed: 'WIN-55NATVQHBUU' to
      'WIN-2008R2-IRV1'; Policy Changed: 'Default' to
      'IRVPolicy1'; Zones Added: 'IRV1', User: test
Memory Protection

When this option is checked, any Memory EXPLOIT ATTEMPTS that might be considered an attack from any of the Tenant's devices will be logged to the Syslog server.

  1. None: Allowed because no policy has been defined for this violation.

  2. Allowed: Allowed by policy.

  3. Blocked: Blocked from running by policy.

  4. Terminated: Process has been terminated.

Example Message of Memory Protection Event

Cyl CylancePROTECT: Event Type: ExploitAttempt, Event
Name: blocked, Device Name: WIN-7entSh64, IP Address:
(, Action: Blocked, Process ID: 3804,
Process Name: C:\AttackTest64.exe, User Name: admin,
Violation Type: LSASS Read

When this option is checked, any newly found threats, or changes observed for an existing threat will be logged to the Syslog server. Changes include a threat being removed, quarantined, waived, or executed.

There are 5 types of Threat Events:

  1. threat_found: A new threat has been found in an Unsafe status.

  2. threat_removed: An existing threat has been removed.

  3. threat_quarantined: A new threat has been found in the Quarantine status.

  4. threat_waived: A new threat has been found in the Waived status.

  5. threat_changed: The behavior of an existing threat has changed (e.g. score, quarantine status, running status).

Example Message of Threat Event

CylancePROTECT: Event Type: Threat, Event Name:
threat_found, Device Name: SH-Win81-1, IP Address:
(, File Name:
virusshare_00fbc4cc4b42774b50a9f71074b79bd9, Path:
c:\ruby\host_automation\test\data\test_files\, SHA256:
7DD510B, Status: Unsafe, Cylance Score: 100, Found Date:
6/1/2015 10:57:42 PM, File Type: Executable, Is Running:
False, Auto Run: False, Detected By: FileWatcher
Threat Classification

Each day, Cylance will classify hundreds of threats as either Malware or PUPs (Potentially Unwanted Programs). When that happens, you can subscribe to be notified of those events by checking this option. Example Message for Threat Classification

CylancePROTECT: Event Type: ThreatClassification, Event
Name: ResearchSaved, Threat Class: Malware, Threat
Subclass: Worm, SHA256:


Specifies the type of Syslog Server or SIEM that events are to be sent to. PROTOCOL This must match what you have configured on your Syslog server.


This must match what you have configured on your Syslog server. The choices are UDP or TCP. UDP is generally not recommended as it does not guarantee message delivery. TCP is the default and we encourage customers to use it.


Only available if the Protocol specified is TCP. TLS/SSL ensures the Syslog message is encrypted in transit from CylancePROTECT to the Syslog server. We encourage customers to checkmark this option. Be sure your Syslog server is configured to listen for TLS/SSL messages.


Specifies the IP address or fully-qualified domain name of the Syslog server that the customer has setup. Consult with your internal network experts to ensure firewall and domain settings are properly configured.


Enter Port 14015 log relay will listen for messages.


Specifies the severity of the messages should appear on the Syslog server. This is a subjective field, and you may set it to whatever level you like. The value of severity does not change the messages that are forwarded to syslog.


Specifies what type of application is logging the message. The default is Internal (aka Syslog). This is used to categorize the messages when they are received by the Syslog server.

Click on Test Connection to test the IP/DOMAIN, PORT, AND PROTOCOL settings. If you entered valid values, after a couple of moments, you should see a success confirmation popup:

Field Reference




ScriptControl Alert

Detects Script Control alerts from Cylance endpoints

Threat Quarantined

Alerts if a threat is quarantined by Cylance

Threat Found

Alerts if Cylance detects a threat

ScriptControl Blocked

Detects if Script Control blocks an action

Threat Cleared

Alerts if Cylance clears a threat

Threat Changed

Alerts if Cylance detects that a threat has changed

Optics Process Event

Alerts if Cylance optics detects a process event

Optics File Event

Alerts if Cylance optics detects a file event

Optics Registry Event

Alerts if Cylance optics detects a registry event

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.