EventSentry can emulate a Unix / Linux Syslog server which enables it to receive Syslog messages from remote Syslog-enabled hosts and devices. The Syslog daemon supports UDP, TCP and TCP+TLS connections and you can either log incoming Syslog messages to the application event log or store them in a database.
To activate the Syslog daemon, check one of the check boxes in the Syslog Daemons section on the "General" tab and configure either the database or event log feature.
Syslog Daemons
The Syslog daemon can accept UDP and TCP connections from remote Syslog-capable devices. To activate either protocol, check the appropriate check box. The default port for the Syslog protocol is 514 but can be adjusted to use a custom port.
TCP + TLS
Automatically creates a self-signed certificate file the first time the feature is enabled to facility TLS communication. Creates the following files:
•%SYSTEMROOT%\system32\eventsentry\secure\es_network_svc.pfx
•%SYSTEMROOT%\system32\eventsentry\secure\es_network_svc.pem (public certificate for distribution)
The public PEM file can be copied to remote Syslog clients that require this file in order to trust the self-signed certificate file.
Threshold Settings
To limit the number of Syslog messages that are processed by the Syslog daemon, change the maximum number of messages and the applicable time period. The Syslog daemon will drop incoming packets if the count exceeds the number specified in Maximum number of allowed messages for the configure Time Period.
Authorized IP Addresses / Networks
For enhanced security the Syslog daemon can be configured to only accept packets from certain IP addresses and/or networks. Host names are not allowed in the list, only IP addresses can be specified.
IP addresses can be entered with or without specifying the subnet bits. For example, to only add two servers with the IP addresses 184.23.22.11 and 184.23.22.43, simply add those two IP addresses to the list.
To authorize a whole subnet, for example the IP addresses 184.23.22.1 - 184.23.22.254, add 184.23.22.0/24. To only allow the range of 184.23.22.128 - 184.23.22.254 then specify 184.23.22.128/25.
Compatibility
The EventSentry Syslog daemon works with every Unix Syslog daemon (any Linux, Solaris, OSX, ...) and network devices that support the Syslog RFC 3164 protocol.
