You can send event log records to remote Unix/Linux Syslog servers either through the UDP or TCP protocol. Event log records can be sent in a variety of formats, including Snare, Graylog, CEF and others.
Hostname
The IP address or host name of the remote Syslog server.
Port
The port on which the remote Syslog server is listening for incoming requests, 514 per default.
Protocol
The protocol to use, either UDP or TCP. Most hosts use the UDP protocol.
Use TLS
Use TLS encryption when supported by the remote Syslog server, requires TCP.
Format
The format in which event log records are sent. The "EventSentry" format is shown below:
Direct (without collector):
hostname: optional prefix[timestamp-eventnumber]ID=eventid:eventlog:eventsource:eventcategory:severity:eventuser:eventmessage:binarydata
Indirect (through collector):
hostname: optional prefix[timestamp-eventnumber]ID=eventid:eventcomputer:eventlog:eventsource:eventcategory:severity:eventuser:eventmessage
Event category, event user and binary data are only included if they are present in the event record. Carriage returns in the event log record are removed automatically.
Other supported formats are Snare, RFC 5424, Graylog (GELF), CEF, Nagios Log Server as well as a custom JSON format.
Criticality (Snare format only)
When the "Snare" format is selected, configure a criticality
Prefix
You can have a text string prefix every Syslog message that is sent out by EventSentry. Simply enter the string into the Prefix field.
Delimiter
By default, all fields from the event log are concatenated with a colon (:), but a different delimiter can be specified.
Convert log text to UTF8
Converts the event log message to UTF8 format.
Include event binary data
Includes event binary data, if any, in the Syslog message.
Include Structured Data (RFC 5424 only)
Includes key event fields as structured data in addition to the Syslog message.
Compress
Compresses data, only support for the GELF format via UDP
Test
Send a syslog UDP message to the remote host
Most Syslog daemons on Unix/Linux servers do not accept remote Syslog packets by default. Please read the according man pages if you do not know how to enable this feature. On most Linux distributions you will need to either pass the -r or -x option to the Syslog daemon upon startup. |