This topic tells you how to configure Syslog event sources for the Log Collector.
You do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors.
Configure a Syslog Event Source
Syslog listeners for UDP on port 514, TCP on port 514 and SSL on port 6514 are created by default. You should not change the SSL settings on the TCP and SSL listeners. If you need SSL certificate verification, create a new event source type to listen on a different port. Please note that iptables needs to be configured to open that port.
To configure the Remote Log Collector for Syslog collection:
- Go to ADMIN > Services.
- In the Services grid, select a Remote Log Collector, and from the Actions menu, choose > View > Config.
- Select the Event Sources tab.
Select Syslog/Config from the drop-down menu.
The Event Categories panel displays the Syslog event sources that are configured, if any.
The Available Event Source Types dialog is displayed.
- Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization.
The Add Source dialog is displayed.
Enter the port number, and select Enabled. Optionally, configure any of the Advanced parameters as necessary.
Click OK to accept your changes and close the dialog box.
Once you configure one or both syslog types, the Log Decoder or Remote Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in RSA NetWitness Suite.
The following tables describe the available basic and advanced parameters for Syslog configuration.