Syslog Daemon

<< Click to Display Table of Contents >>

Navigation:  Monitoring with EventSentry > Network Services >

Syslog Daemon

EventSentry can emulate a Unix / Linux Syslog server which enables it to receive Syslog messages from remote Syslog-enabled hosts and devices. The Syslog daemon supports UDP, TCP and TCP+TLS connections and you can either log incoming Syslog messages to the application event log or store them in a database.

 

To activate the Syslog daemon, check one of the check boxes in the Syslog Daemons section on the "General" tab and configure either the database or event log feature.

 

clip0183

Syslog Daemons

You can configure the Syslog daemon to accept UDP and TCP connections from remote Syslog-capable devices. To activate either protocol, check the appropriate check box. The default port for the Syslog protocol is 514, but you can change the port for UDP and TCP connections by adjusting the number.

 

TCP + TLS

Automatically creates a self-signed certificate file the first time the feature is enabled to facility TLS communication. Creates the following files:

 

%SYSTEMROOT%\system32\eventsentry\secure\es_network_svc.pfx

%SYSTEMROOT%\system32\eventsentry\secure\es_network_svc.pem (public certificate for distribution)

 

The public PEM file can be copied to remote Syslog clients that require this file in order to trust the self-signed certificate file.

 

Threshold Settings

To limit the number of Syslog messages that are processed by the Syslog daemon, change the maximum number of messages and the applicable time period. The Syslog daemon will drop incoming packets if the count exceeds the number specified in Maximum number of allowed messages for the configure Time Period.

 

Authorized IP Addresses / Networks

For enhanced security you will have to specify from which hosts the Syslog daemon will accept packets. Please note that host names are not allowed in the list, you can only specify IP addresses.

 

You can enter IP addresses with or without specifying the subnet bits. For example, if you only want to add two servers with the IP addresses 184.23.22.11 and 184.23.22.43, simply add those two IP addresses to the list.

 

If you want to allow a whole subnet, for example the IP addresses 184.23.22.1 - 184.23.22.254, then you will have to add 184.23.22.0/24. If you only want to allow the range 184.23.22.128 - 184.23.22.254 then you can specify 184.23.22.128/25.

 

Compatibility

The EventSentry Syslog daemon works with every Unix Syslog daemon (any Linux, Solaris, OSX, ...) and network devices that support the Syslog RFC 3164 protocol.