Log Collection: Configure Syslog Event Sources for Remote Collector

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Sep 12, 2018
Version 12Show Document
  • View in full screen mode
 

This topic tells you how to configure Syslog event sources for the Log Collector.

Note: You do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors.

Configure a Syslog Event Source

Syslog listeners for UDP on port 514, TCP on port 514 and SSL on port 6514 are created by default. You should not change the SSL settings on the TCP and SSL listeners. If you need SSL certificate verification, create a new event source type to listen on a different port. Please note that iptables needs to be configured to open that port.

To configure the Remote Log Collector for Syslog collection:

  1. Go to ADMIN > Services.
  2. In the Services grid, select a Remote Log Collector, and from the Actions menu, choose  actions menu > View > Config.
  3. Select the Event Sources tab.
  4. Select Syslog/Config from the drop-down menu.

    The Event Categories panel displays the Syslog event sources that are configured, if any.

    Note: For RSA NetWitness Platform, some Syslog event sources are available by default. In this case, you can proceed to step 6.

  5. In the Event Categories panel toolbar, click add icon.

    The Available Event Source Types dialog is displayed.

  6. Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization.
  7. Select the new type in the Event Categories panel and click add icon in the Sources panel toolbar.

    The Add Source dialog is displayed.

  8. Enter the port number, and select Enabled. Optionally, configure any of the Advanced parameters as necessary.

    Click OK to accept your changes and close the dialog box.

Once you configure one or both syslog types, the Log Decoder or Remote Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in RSA NetWitness Platform.

Syslog Parameters

The following tables describe the available basic and advanced parameters for Syslog configuration.

Note: Required parameters are marked with an asterisk. All other parameters are optional.

Basic Parameters

                       
NameDescription
Port*Default port is 514.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
SSL Receiver

Note: This parameter applies to RSA NetWitness® Platform version 11.1 and newer. It is available only for the syslog-tcp Event Category.

If you select the check box, the event source accepts SSL/TLS connections only. Also, if you change this setting, you must stop and restart Syslog collection for the change to become effective.

Advanced Parameters

                               
NameDescription
Inflight Publish Log Threshold

Establishes a threshold that, when reached, NetWitness generates a log message to help you resolve event flow issues. The Threshold is the size of the syslog event messages currently flowing from the event source to NetWitness.

Valid values are:

  • 0 (default) - disables the log message
  • 100-100000000 - generates log message when  the syslog event messages currently flowing from the event source to NetWitness are within the 100 to 100000000 byte range.
Maximum ReceiversMaximum number of receiver resources used to process collected syslog events.  The  default value is 2.
Event Filter

Select a filter.

Please refer to Configure Event Filters for a Collector for instructions on how to define filters.

Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).

SSL Verify Mode

Note: This parameter applies to RSA NetWitness® Platform version 11.1 and newer. It is available only for the syslog-tcp Event Category.

This setting is relevant only if the SSL Receiver setting is selected. If you change the SSL Verify Mode, you must stop and restart Syslog collection for the change to become effective.

Available options:

  • verify-none: (default) The server does not verify the client's certificate, if any. A client can connect without presenting a certificate.
  • verify-peer: The server verifies the client's certificate, if any. A client can connect without presenting a certificate.

    Note: If verification fails, a warning is logged but the messages will still be accepted.

  • verify-peer-fail-if-no-cert: The client must present a certificate and the server will verify it.

    Note: If you use this mode, the client's CA certificate must be uploaded to the Log Collector's truststore using the REST API at http://LC-ip-address:50101/sys/caupload

You are here
Table of Contents > Collection Protocols > Configure Syslog Event Sources for Remote Collector

Attachments

    Outcomes