Syslog

<< Click to Display Table of Contents >>

Navigation:  Working with EventSentry > Actions >

Syslog

You can send event log records to remote Unix/Linux Syslog servers either through the UDP or TCP protocol. Event log records can either be sent in the "EventSentry" or the "Snare" format.

 

clip0081

 

Hostname

The IP address or host name of the remote Syslog server.

 

Port

The port on which the remote Syslog server is listening for incoming requests, 514 per default.

 

Protocol

The protocol to use, either UDP or TCP. Most hosts use the UDP protocol.

 

Use TLS

Use TLS encryption when supported by the remote Syslog server, requires TCP.

 

Format

The format in which event log records are sent. The "EventSentry" format is shown below:

 

Direct (without collector):

hostname: optional prefix[timestamp-eventnumber]ID=eventid:eventlog:eventsource:eventcategory:severity:eventuser:eventmessage:binarydata

 

Indirect (through collector):

hostname: optional prefix[timestamp-eventnumber]ID=eventid:eventcomputer:eventlog:eventsource:eventcategory:severity:eventuser:eventmessage

 

Event category, event user and binary data are only included if they are present in the event record. Carriage returns in the event log record are removed automatically.

 

Other supported formats are Snare, RFC 5424, Graylog (GELF), CEF, Nagios Log Server as well as a custom JSON format.

 

Criticality (Snare format only)

When the "Snare" format is selected, configure a criticality

 

Prefix

You can have a text string prefix every Syslog message that is sent out by EventSentry. Simply enter the string into the Prefix field.

 

Delimiter

By default, all fields from the event log are concatenated with a colon (:), but a different delimiter can be specified.

 

Convert log text to UTF8

Converts the event log message to UTF8 format.

 

Include event binary data

Includes event binary data, if any, in the Syslog message.

 

Include Structured Data (RFC 5424 only)

Includes key event fields as structured data in addition to the Syslog message.

 

Compress

Compresses data, only support for the GELF format via UDP

 

 

clip0082

Test

Send a syslog UDP message to the remote host

 

warning_48

Most Syslog daemons on Unix/Linux servers do not accept remote Syslog packets by default. Please read the according man pages if you do not know how to enable this feature. On most Linux distributions you will need to either pass the -r or -x option to the Syslog daemon upon startup.