Configure centralized collection of Protection Engine logs using syslog server

book

Article ID: 171667

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

Symantec Protection Engine (SPE) can be configured to send log events to the Linux syslog. The types of events that are logged is configurable. For more information refer to the section “Configuring logging to the Linux Syslog” in the Symantec™ Protection Engine for Cloud Services 7.9 Implementation Guide.

In scenarios where there are multiple SPE installations, administrators need to log into each of the computers to access the syslog logs. This could be tedious and time-consuming especially when there is more than one SPE installation. 

 

Resolution

Each computer on which SPE is installed can be configured to send syslog messages to the syslog server. The syslog server captures the log messages at a centralized location (i.e. /var/log/messages), which is then readily available for viewing and analysis without the need to access the individual servers.             

There are several different syslog implementations available. In this document, we will outline the steps that you can execute to use and enable RSyslog to collect log messages in the RSyslog server.

To configure SPE to send events to RSyslog

Linux

The RSyslog service must be installed on the computer that you intend to use as a logging server (preferably on a separate Linux computer). By default, RSyslog is installed on Red Hat Enterprise Linux 6 or later versions. Keep in mind the default protocol for syslog traffic is UDP, the default protocol for RSyslog is TCP.

To send the events to the syslog server each server with SPE install must have the Rsyslog service installed, enabled and configured with the IP address of the Rsyslog server.  Both RSyslog server and clients must be configured with the same protocol and port for communication.

For detailed information about configuring RSyslog on Linux, refer to the following links:

How to configure remote logging with rsyslog

Configuring Rsyslog on a logging server

Windows

There are various options on Windows OS to send log messages from the Windows applications to the syslog server.  Below are the steps to enable RSyslog Windows agent to send log messages from SPE that is installed on the Windows computers to the remote RSyslog server. RSyslog Windows agent is designed to work with the remote RSyslog server on Linux. The RSyslog Windows agent monitors the Windows Event Viewer messages and sends them to the RSyslog server. 

In order to forward events from a Windows SPE implementation, SPE must first be configured to log events to the Windows Event Viewer. For details on how to enable logging of events to the Windows Event Viewer, see “Configuring logging to the Windows Application Event Log” in the Symantec™ Protection Engine for Cloud Services 7.9 Implementation Guide.
The RSyslog Windows agent must be configured with the syslog server’s IP address and port. If desired, filters can be configured to only send specific types of events from the Windows Event Viewer to the RSyslog server.

For further details about the Rsyslog Windows agent, refer to the following links:

Rsyslog Windows Agent Download

About Rsyslog Windows Agent