This topic tells you how to configure Syslog event sources for the Log Collector.
Configure a Syslog Event Source
For Remote or Virtual Log Collectors, syslog listeners for UDP on port 514, TCP on port 514 and SSL on port 6514 are created by default. You should not change the SSL settings on the TCP and SSL listeners. If you need SSL certificate verification, create a new event source type to listen on a different port.
To configure the Log Collector for Syslog collection:
- Go to ADMIN > Services.
- In the Services grid, select a Log Collector, and from the Actions menu, choose > View > Config.
- Select the Event Sources tab.
Select Syslog/Config from the drop-down menu.
The Event Categories panel displays the Syslog event sources that are configured, if any.
The Available Event Source Types dialog is displayed.
- Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization.
The Add Source dialog is displayed.
Enter the port number, and select Enabled. Optionally, configure any of the Advanced parameters as necessary.
Click OK to accept your changes and close the dialog box.
Once you configure one or both syslog types, the Log Decoder or Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in RSA NetWitness Platform.
For each protocol (TCP, UDP), you need to instantiate a separate syslog listener for each character encoding.
For example, assume that you have legacy event sources sending syslog in UDP and TCP with EUC-KR and EUC-JP encodings. You would need to configure four listeners for the Log Collector, and configure the syslog event sources to send to separate ports as follows:
- UDP <port1> for EUC-KR
- UDP <port2> for EUC-JP
- TCP <port3> for EUC-KR
- TCP <port4> for EUC-JP
Alternatively, you could use separate Remote/Virtual Log Collectors, each using the default port 514.
The following tables describe the available basic and advanced parameters for Syslog configuration.