You can configure Syslog forwarding to forward the operating system logs of your Security Analytics Hosts to a remote syslog server. You can use the Set Syslog Forwarding task in the Host Task List to enable or disable syslog forwarding.
Set Up and Start Syslog Forwarding
- In the Security Analytics menu, select Administration >Services.
The System view for the service is displayed.
- In the Services System view toolbar, click Host Tasks.
In the Host Task List, select Set Syslog Forwarding.
In the Info area, a brief explanation of the task and the task arguments is displayed.
In the Arguments field, do any one of the following.
To enable syslog forwarding, specify any one of the following formats:
- host=<loghost>.<localdomain> (for example, host=syslogserver.local).
- host=<loghost>.<localdomain>:<port> (for example, host=syslogserver.local:514).
- host=<IP> (for example, host=10.31.244.244).
- host=<IP>:<port> (for example, host=10.31.244.244:514).
The following table lists the parameters used to enable syslog forwarding and its descriptions.
The host name of the remote syslog server.
localdomain The domain of the remote syslog server.
IP address of the remote syslog server.
IP The port number on which the remote syslog server receives a syslog messages.
- To disable syslog forwarding, type host=disable.
The result is displayed in the Output area.
Once syslog forwarding is enabled or disabled, the /etc/rsyslog.conf file is updated automatically to enable or disable syslog forwarding to the remote syslog destination and the syslog service is restarted.
If you enable syslog forwarding, the logs from the configured service are forwarded to the defined syslog server and continues forwarding until disabled.
Note: You can now log in to the remote syslog server and verify if the messages are being received from
the Security Analytics services configured for syslog forwarding.