This topic tells you how to configure Syslog event sources for the Log Collector.
Configure a Syslog Event Source
For Remote or Virtual Log Collectors, syslog listeners for UDP on port 514, TCP on port 514 and SSL on port 6514 are created by default. You should not change the SSL settings on the TCP and SSL listeners. If you need SSL certificate verification, create a new event source type to listen on a different port.
To configure the Log Collector for Syslog collection:
- Go to (Admin) > Services.
- In the Services grid, select a Log Collector, and from the Actions menu, choose > View > Config.
- Select the Event Sources tab.
Select Syslog/Config from the drop-down menu.
The Event Categories panel displays the Syslog event sources that are configured, if any.
In the Event Categories panel toolbar, click .
The Available Event Source Types dialog is displayed.
- Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization.
Select the new type in the Event Categories panel and click in the Sources panel toolbar.
The Add Source dialog is displayed.
Enter the port number, and select Enabled. Optionally, configure any of the Advanced parameters as necessary.
Click OK to accept your changes and close the dialog box.
Once you configure one or both syslog types, the Log Decoder or Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in RSA NetWitness Platform.
For each protocol (TCP, UDP), you need to instantiate a separate syslog listener for each character encoding.
For example, assume that you have legacy event sources sending syslog in UDP and TCP with EUC-KR and EUC-JP encodings. You would need to configure four listeners for the Log Collector, and configure the syslog event sources to send to separate ports as follows:
- UDP <port1> for EUC-KR
- UDP <port2> for EUC-JP
- TCP <port3> for EUC-KR
- TCP <port4> for EUC-JP
Alternatively, you could use separate Remote/Virtual Log Collectors, each using the default port 514.
The following tables describe the available basic and advanced parameters for Syslog configuration.
Enter the port number that you configured for your event sources.
Select the check box to enable the event source configuration to start collection. The check box is selected by default.
|SSL Receiver|| |
If you select the check box, the event source accepts SSL/TLS connections only. Also, if you change this setting, you must stop and restart Syslog collection for the change to become effective.
Character encoding used by the syslog senders to this port. Defaults to UTF-8.
RSA has tested the following values:
Inflight Publish Log Threshold
Establishes a threshold that, when reached, NetWitness generates a log message to help you resolve event flow issues. The Threshold is the size of the syslog event messages currently flowing from the event source to NetWitness.
Valid values are:
Maximum number of receiver resources used to process collected syslog events. The default value is 2.
Select a filter.
Refer to Configure Event Filters for a Collector for instructions on how to define filters.
Enables or disables debug logging for the event source.
Valid values are:
This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
SSL Verify Mode
This setting is relevant only if the SSL Receiver setting is selected. If you change the SSL Verify Mode, you must stop and restart Syslog collection for the change to become effective.
Certificate Directory Path
You can configure custom certificates for the syslog listener on Log Collectors. For details, see (Optional) Configure Custom Certificates on Log Collectors.