Log Collection Config: Configure Syslog Event Filters for Remote Collector

Document created by RSA Information Design and Development on Jul 23, 2016Last modified by RSA Information Design and Development on Sep 14, 2016
Version 4Show Document
  • View in full screen mode
 

This topics tells you how to create and maintain Event filters for the Syslog collection protocol.

After completing this how-to, you will have:

  • Configured a Syslog Event Filter
  • Modified Syslog Event Filter Rules.

Caution: Do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors. See Access Local Collectors and Remote Collectors for additional configuration information.

Return to Procedures

Configure a Syslog Event Filter

To configure a File event source:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select Syslog/Filters from the drop-down menus.

    The Filters view displays the Syslog filters that are configured, if any.

  5. In the Filters panel toolbar, click Icon-Add.png.

    The Add Filter dialog displays.

    SyslogFilter1.PNG

  6. Enter a name and description for the new filter and click Add.

    The new filter displays in the Filter panel.

  7. Select the new filter in the Filters panel and click Icon-Add.png in the Filter Rules panel toolbar.

    The Add Filter Rule dialog is displayed.

  8. Click Icon-Add.png under Rule Conditions.
  9. Add the parameters for this rule and click Update > OK.

Security Analytics updates the filter with the rule that you defined.

                                 
FieldDescription
KeyValid values are:
  • Syslog level
  • Source IP
  • Raw Event
OperatorValid values are:
  • Contains
  • Equal
Use RegexOptional. You can select this if you want to use regex.
ValueValue depends on the key value you selected.
For example if you choose Syslog level for Key, the value will be a number that denotes the syslog level.
Ignore caseOptional. Select this to ignore the case sensitivity.
Action

If there is a match you can choose an action to accept, drop, next condition or next rule.

If there is no match, you can choose an action to accept, drop, next condition or next rule.

Modify Filter Rules

To modify an event source:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select Syslog/Filters from the drop-down menu.

  5. The Filters view displays the Syslog filters that are configured, if any.
  6. In the Filter Rules list, select a rule and click icon-edit.png.

    The Edit Filter Rule dialog is displayed.

  7. Select the rule condition that you want to modify.

  8. Modify the condition parameters that require changes and click Update >  OK.

Security Analytics applies the condition parameter changes to the selected filter rule.

Parameters

Syslog Event Filters View for Remote Collector

You are here: Log Collection Configuration Guide > Procedures > Step 3. Configure Event Sources in Security Analytics > Configure Syslog Event Filters for Remote Collector

Attachments

    Outcomes