This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
JeffHermans
Beginner
Beginner
‎2011-12-15 04:14 PM

Syslog Relay

Our infrastructure team is currently sending all of their device logs to enVision but they would like some of the logs to be sent to their own logging solution as well. Some of the devices only allow one syslog server destination so I am attempting to setup enVision to relay the syslog events after enVision processes the events.

 

I've already setup a Correlation Rule that matches on the devices by Device Group membership with an Event Selection as Content from ALL devices IN * . The Decay Time is set to 0 Hours. I then have a View that includes the Correlation Rule with an Output Action type of Syslog.

 

The result I'm seeing is that not all of the events are getting forwarded to their syslog server. I'm stumped on this one and haven't been able to get any debug information out of pi_alerter.exe.

 

Any help or best practices for setting up enVision as a SYSLOG relay would be appreciated.

 

Thanks! Jeff

0 Likes
Reply
1 Reply
RSAAdmin
Beginner
Beginner
‎2011-12-16 02:23 PM

It would probably be much easier to set up a box with syslog-ng and have it do the relaying for you.

 

Depending on the device types you need to relay, setup is very simple. The docs and knowledgebase have information on the settings you need to use for your relay.  The only devicetype we had some challenges with was Oracle -- there's a thread here with info on making that work.

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.