Overview
You may need to set up GFI EventsManager to receive Syslog messages from source machines.
Syslog is a data logging service that is most commonly used by Linux and UNIX-based systems. GFI EventsManager has a built-in Syslog Server, which collects all Syslog messages/events sent by Syslog sources and passes them to the event processing engine. EventsManager supports events generated by various network devices manufactured by leading providers including Cisco and Juniper.
Solution
To configure EventsManager to receive Syslogs, follow the steps below:
- Add the required machines as event sources.
- Navigate to Configuration > Event Sources.
-
Right-click on the desired source group or source machine and select Properties.
- From the Syslog tab, enable the Accept Syslog messages from this computer group option.
- From the Syslog parsing schema drop-down, select the method for EventsManager Syslog Server to interpret Syslogs from network devices:
- Simple syslog message
- Standard Linux message
- Juniper Networks Firewall
- Cisco ASA
- If you need to encode international characters to ASCII strings, click Advanced and specify the required Windows page code identifier.
Since Syslog is not Unicode compliant, GFI EventsManager uses a code page to decode the events. This is only required if GFI EventsManager is installed on a machine using a different language than the monitored machines. - From the Post collection processing section (under the same tab), select one of the following options:
- Archive all logs without any further processing - select this option if you want to store all logs for the selected machines.
- Process the logs with the rules selected below before archiving and specify the required rules - select this option if you do not need to store all Syslog events.
- By default, GFI EventsManager will listen for Syslog messages on port 514.
Also, you can configure another port to receive Syslogs by following the steps below.
Note: Make sure that the default or custom-configured port is not being used by other applications; this may affect the delivery of Syslog messages to GFI EventsManager.
- Navigate to Configuration > Options > Syslog Server Options.
- Click Edit Syslog options.
- Enable the TCP and UDP ports and enter the desired port numbers.
- Click OK.
Testing
Open Events Browser and check if logs are captured for one of the monitored machines (sending Syslogs). Additionally, you can use a network sniffer application to verify that Syslogs are sent to EventsManager.
Related Articles
- How to create custom Syslog rule sets for non-supported devices?
- How to create custom Syslog rules based on RAW data?
- How To Add Fortinet FortiGate As Event Source?