Configure Protection Engine logs to forward to a syslog server
search cancel

Configure Protection Engine logs to forward to a syslog server

book

Article ID: 171667

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

Symantec Protection Engine (SPE) can NOT be configured to send log events directly to a standard Syslog server

It is possible to use a third party utility called to parse the logs that SPE saves to the local OS logs.

Resolution

Each computer on which SPE is installed can be configured to send log messages to the local operating system's logging system. The syslog software captures the log messages at a centralized location (i.e. /var/log/messages), which is then readily available for viewing and analysis without the need to access the individual servers.             

There are several different syslog implementations available. In this document, we will outline the steps that you can execute to use and enable RSyslog to collect log messages in the RSyslog server.

To configure SPE to send events to RSyslog

Linux

The RSyslog service must be installed on the computer that you intend to use as a logging server (preferably on a separate Linux computer). By default, RSyslog is installed on Red Hat Enterprise Linux 6 or later versions. Keep in mind the default protocol for syslog traffic is UDP, the default protocol for RSyslog is TCP.

To send the events to the syslog server each server with SPE install must have the Rsyslog service installed, enabled and configured with the IP address of the Rsyslog server.  Both RSyslog server and clients must be configured with the same protocol and port for communication.

For detailed information about configuring RSyslog on Linux, refer to the following links:

How to configure remote logging with rsyslog

Configuring Rsyslog on a logging server

 

Windows

There are various options on Windows OS to send log messages from the Windows applications to the syslog server.  Below are the steps to enable RSyslog Windows agent to send log messages from SPE that is installed on the Windows computers to the remote RSyslog server. RSyslog Windows agent is designed to work with the remote RSyslog server on Linux. The RSyslog Windows agent monitors the Windows Event Viewer messages and sends them to the RSyslog server. 

In order to forward events from a Windows SPE implementation, SPE must first be configured to log events to the Windows Event Viewer. For details on how to enable logging of events to the Windows Event Viewer, see “Configuring logging to the Windows Application Event Log” in the Symantec™ Protection Engine Implementation Guide.
The RSyslog Windows agent must be configured with the syslog server’s IP address and port. If desired, filters can be configured to only send specific types of events from the Windows Event Viewer to the RSyslog server.

For further details about the Rsyslog Windows agent, refer to the following links:

Rsyslog Windows Agent Download

About Rsyslog Windows Agent

 

Additional Information

Please note that RSyslog is a 3rd-party application and is not supported or configured by Symantec Technical Support. In addition to this, there may be a licensing cost associated with using RSyslog. For additional details regarding RSyslog, please see their website here.

Powered by Wolken Software