# Outputting Matches to downstream receivers

## Match Syslog or Kafka Log Output (QUX only)

Matches identified by the engine are emitted using syslog or Kafka. Navigate in your Brain UI to *Configuration → RESPONSE → Notifications → Syslog or Kafka* to configure either. Vectra has also updated our Splunk Add-on and App for Detect to support parsing of Match log output and created a new Vectra Match dashboard. The following KB articles on the Vectra support site provide some additional guidance:

* [Send Syslog to Kafka](https://docs.vectra.ai/configuration/response/notifications/syslog-sending-to-kafka)
* [Vectra Syslog Guide](https://docs.vectra.ai/configuration/response/notifications/syslog-guide-qux)
* [Splunk SIEM / Vectra integration guide (start her for RUX)](https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-rux)
* [Splunk SIEM / Vectra integration guide (start here for QUX)](https://docs.vectra.ai/configuration/response/siem/splunk-siem-vectra-integration-guide-start-here-for-qux)

In our sample deployment, we are using a Splunk instance and have set up Syslog to send in JSON format:

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/18P0b1AvEQ74KIyrUrqo/Unknown%20image)

{% hint style="info" %}
**Please note:**

* Syslog transport of Vectra Match log data supports the TCP or SSL protocol and a choice of port.
* Kafka transport of Vectra Match log data supports the TCP or SSL protocol and a choice of port.
* JSON is the recommended log format to use, but CEF and standard syslog formats are also supported.
* Log messages are truncated at 16,384 bytes (16 KB) before transport.
  * As a result, some log messages may be missing expected fields that have been truncated.
  * This can occur when many long domain names are included in a Match log message.
* Syslog messages sent over SSL may be truncated or dropped on the receiver side per RFC. For this reason, TCP is greatly preferred, and TLS/SSL should only be used when required.
  * Receivers typically truncate syslog messages over SSL at 4 or 8 KB.
* UDP is unsupported for syslog Match messages, as its 1 KB default message limit would cause excessive truncation and message drops.
  {% endhint %}

If you are already using Syslog or Kafka to output log data from your Brain, you may only need to modify the settings to include the new **Vectra Match** log type in addition to any other log types you may have previously configured.

The **Include enhanced detail** checkbox impacts both the syslog producer header and whether additional Vectra proprietary data is included in the log messages sent downstream.

* Syslog producer header
  * **Include enhanced detail** checked – header is `vectra_json_vectra_match_v2`
  * **Include enhanced detail** unchecked – header is `vectra_json_vectra_match`
* Vectra proprietary data
  * When the **Include enhanced detail** checkbox is checked an additional field called `vectra` is included that allows analysts to see HostID information and Sensor (device) information related to the Match that occurred. This will make it easier for analysts to understand which Sensor observed the traffic where the Match occurred and track the originating and responding host by its Vectra Host object. Vectra HostID is a proprietary process that takes into account network artifacts and other learned information to name hosts and track them more easily by this name rather than IP address which is often transient.
  * For additional detail on HostID, please see: [Understanding Vectra Host Naming](https://docs.vectra.ai/reference/understanding-vectra-host-naming)
  * Example added data is below:

```
"vectra":{
    "orig_hostname": "Source Host",
    "orig_huid": "fakesrch",
    "orig_sluid": "fakesrcs",
    "resp_hostname": "Dest Host",
    "resp_huid": "fakedsth",
    "resp_sluid": "fakedsts",
    "sensor_uid": "sensory-",
    "sensor_name": "Cool Sensor"
    },
```

Below is how a raw message will appear in Splunk (screenshot does not include the additional **Vectra** field):

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/rDq4t2URi0NVTgObYSYK/Unknown%20image)

After the syslog producer header with the date, you can see that the data is in the same format output natively from Suricata.

## Match Stream Output to Data Lake or SIEM (RUX and QUX)

To output Matches, using Stream is required for Respond UX deployments and optional for Quadrant UX deployments. For overall Stream deployment, please see the [Stream Deployment Guide](https://docs.vectra.ai/deployment/stream/deployment). Field descriptions are available in [Vectra AI platform network metadata](https://docs.vectra.ai/reference/metadata-attributes/vectra-ai-platform-azure-metadata-attributes). To output Matches, ensure that your Stream configuration is set to output them in *Configuration → COVERAGE → Stream → Metadata Types* as seen in the screenshot below:

![](https://content.gitbook.com/content/HJ1ltuWFvsArFWtevnRn/blobs/HgrmKHo8YHZ3bnoDiNj5/Unknown%20image)

If you’re already using Stream with RAW JSON as the publisher, be sure to also update your Stream config with the desired port for Match metadata. All other Stream configuration is as described in the [Stream Deployment Guide](https://docs.vectra.ai/deployment/stream/deployment).

## Using Match with Vectra Recall (QUX only)

Vectra Match supports metadata output to Vectra Recall for Quadrant UX deployments. This includes all log fields output by Match. If you are a Vectra Recall customer this metadata will automatically be sent to Recall and included as a new ***`metadata_match*`*** category for use in Recall.

{% hint style="info" %}
**Please Note:**

* No additional configuration is required to enable this functionality.
* Custom models are supported for use with Match metadata.
  * Please see [Recall custom models - how to create detections (QUX)](https://docs.vectra.ai/operations/analyst-guidance/recall-custom-models-how-to-create-detections-qux) for more information.
* Match metadata cannot be filtered before being sent to Recall.
  * All fields available and the metadata stream itself included are included if you have an active entitlement to both Vectra Match and Vectra Recall.
* Field descriptions are available in [Vectra AI platform network metadata](https://docs.vectra.ai/reference/metadata-attributes/vectra-ai-platform-azure-metadata-attributes).
  {% endhint %}