2QFL3LymIB6xwL5Uy73QZVQtt0E2S9rpdhju7K8M9jQ=

Syslog Relay

Discussion created by 2QFL3LymIB6xwL5Uy73QZVQtt0E2S9rpdhju7K8M9jQ= on Dec 15, 2011
Latest reply on Dec 16, 2011 by RSA Admin

Our infrastructure team is currently sending all of their device logs to enVision but they would like some of the logs to be sent to their own logging solution as well. Some of the devices only allow one syslog server destination so I am attempting to setup enVision to relay the syslog events after enVision processes the events.

 

I've already setup a Correlation Rule that matches on the devices by Device Group membership with an Event Selection as Content from ALL devices IN * . The Decay Time is set to 0 Hours. I then have a View that includes the Correlation Rule with an Output Action type of Syslog.

 

The result I'm seeing is that not all of the events are getting forwarded to their syslog server. I'm stumped on this one and haven't been able to get any debug information out of pi_alerter.exe.

 

Any help or best practices for setting up enVision as a SYSLOG relay would be appreciated.

 

Thanks! Jeff

Outcomes