Log Collection Config: Configure Syslog Event Sources for Remote Collector

Document created by RSA Information Design and Development on Sep 11, 2017Last modified by RSA Information Design and Development on Oct 12, 2017
Version 7Show Document
  • View in full screen mode
  

This topic tells you how to configure Syslog event sources for the Log CollectorLog Collector .

You do not configure Syslog Collection for Local Log Collectors. You only need to configure Syslog Collection for Remote Collectors.

Configure a Syslog Event Source

Note: You only need to configure Syslog collection the first time that you set up an event source that uses Syslog to send its output to RSA NetWitness Suite.

You should configure either the Log Decoder or the Remote Log Collector for Syslog. You do not need to configure both.

To configure the Log Decoder for Syslog collection:

  1. Go to Admin > Services .
  2. In the Services grid, select a Log Decoder, and from the Actions menu, choose   > View > System.
  3. Depending on the icon you see, do one of the following:

    • If you see , click the icon to start capturing Syslog.
    • If you see , you do not need to do anything; this Log Decoder is already capturing Syslog.

To configure the Remote Log Collector for Syslog collection:

  1. Go to Admin > Services .
  2. In the Services grid, select a Remote Log Collector, and from the Actions menu, choose   > View > Event Sources.
  3. Select Syslog/Config from the drop-down menu.

    The Event Categories panel displays the Syslog event sources that are configured, if any.

  4. In the Event Categories panel toolbar, click .

    The Available Event Source Types dialog is displayed.

  5. Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization.
  6. Select the new type in the Event Categories panel and click in the Sources panel toolbar.

    The Add Source dialog is displayed.

  7. Enter 514 for the port, and select Enabled. Optionally, configure any of the Advanced parameters as necessary.

    Click OK to accept your changes and close the dialog box.

Once you configure one or both syslog types, the Log Decoder or Remote Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in RSA NetWitness Suite.

Syslog Parameters

The following table describes the available parameters for Syslog configuration.

                                                 
NameDescription
Basic
Advanced
OKAdds the parameters for the event source.
CancelCloses the dialog without making adding an event source type.
Port*Default port is 514.
Inflight Publish Log Threshold

Establishes a threshold that, when reached, NetWitness generates a log message to help you resolve event flow issues. The Threshold is the size of the syslog event messages currently flowing from the event source to NetWitness.

Valid values are:

  • 0 (default) - disables the log message
  • 100-100000000 - generates log message when  the syslog event messages currently flowing from the event source to NetWitness are within the 100 to 100000000 byte range.
Maximum ReceiversMaximum number of receiver resources used to process collected syslog events.  The  default value is 2.
Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables/disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).

Event Filter

Select a filter.

Please refer to Configure Event Filters for a Collector for instructions on how to define filters.

EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
You are here
Table of Contents > Collection Protocols > Configure Syslog Event Sources for Remote Collector

Attachments

    Outcomes