Syslog Event Source Configuration Parameters for Remote Collector

Document created by RSA Information Design and Development on Nov 22, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 9Show Document
  • View in full screen mode
  

This topic describes the parameters in the Syslog Event Sources view.

Caution: Do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors.

To access the Event Sources Tab for a remote log collector:

  1. In the Security Analytics menu, select Administration >Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Log Collector Event Sources tab, select Syslog/Config from the drop-down menu.

SyslogAddedSource.png

The Syslog/Config view in the Event Sources tab has two panels: Event Categories and Sources.

Event Categories Panel

In the Event Categories panel, you can add or delete the appropriate event source types.

                         
FeatureDescription
Icon-Add.png Displays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters.
Icon_Delete_sm.png Deletes the selected event source types from the Event Categories panel.
Checkbox.png Selects event source types.
NameDisplays the name of the event source types that you have added.

Available Event Sources Types Dialog

The Available Event Source Types dialog displays the list of supported event source types.

                         
FeatureDescription
Checkbox.png Selects the event source type that you want to add.
TypeDisplay the event source types that are available to add.
CancelCloses the dialog without adding an event source type.
OKAdds the selected event source type to the Event Categories panel.

Sources Panel

Use this panel to review, add, modify, and delete event sources and their parameters for the event source type you selected in the Event categories panel.

Toolbar

The following table provides descriptions of the toolbar options.

                               
FeatureDescription
Icon-Add.png

Displays the Add Source dialog in which you define the parameters for a Firewall host.

Icon_Delete_sm.png Deletes the host that you selected.
icon-edit.png

Opens the Edit Source dialog, in which you edit the parameters for the selected event source.

Select multiple event sources and click icon-edit.png to open the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

ImportSourceIcon.PNG

Opens the Bulk Add Option dialog in which you can import hosts in bulk from a comma-separated values (CSV) file.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

ExportSourceIcon.PNG

Creates a .csv file that contains the parameters for the selected hosts.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

Add or Modify Sources Dialog

In this dialog, you add or modify an event source for the selected event source type.

                       
FeatureDescription
Source ParametersLists the parameters populated with the default values. Enter or modify the appropriate values.
CancelCloses the dialog without adding an event source or saving the parameter values for the selected event source.
OKIn the Add Sources dialog, adds the event source and its parameters. In the Edit Source dialog, applies the parameter value changes for the selected event source.

Source Parameters

The following table provides descriptions of the source parameters.

                                                 
NameDescription
Basic
Port*Default port is 514.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
Advanced
Maximum ReceiversMaximum number of receiver resources used to process collected syslog events.  The  default value is 2.
Inflight Publish Log Threshold

Establishes a threshold that, when reached, Security Analytics generates a log message to help you resolve event flow issues. The Threshold is the size of the syslog event messages currently flowing from the event source to Security Analytics.

Valid values are:

  • 0 (default) - disables the log message
  • 100-100000000 - generates log message when  the syslog event messages currently flowing from the event source to Security Analytics are within the 100 to 100000000 byte range.
Event Filter

Select a filter.

Please refer to Configure Event Filters for a Collector for instructions on how to define filters.

Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables/disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).

CancelCloses the dialog without making adding an event source type.
OKAdds the parameters for the event source.

Tasks

Configure Syslog Event Sources for Remote Collector

Configure Event Filters for a Collector

You are here
Table of Contents > Log Collection Configuration Guide > Reference - Configuration Parameters Interface > Log Collection Parameters > Log Collection Event Sources Tab > Syslog Event Source Configuration Parameters for Remote Collector

Attachments

    Outcomes