How to setup Syslog-ng to forward events to a Symantec Security Information Manager (SSIM)

book

Article ID: 177566

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

How to setup Syslog-ng to forward events to a Symantec Security Information Manager (SSIM).

 

Resolution

To setup Syslog-ng to forward events to a SSIM appliance, you must configure Syslog-ng to have that SSIM appliance as a log server, then restart the syslog service.

Before configuring Syslog-ng, make sure the computer can resolve the hostname of the SSIM appliance. If you must, you can enter the IP Address and Hostname of the SSIM in the computers /etc/hosts file.

Configure Syslog-ng

    1. Navigate to the syslog-ng directory.
      By default this is /etc/syslog-ng
    2. Open syslog-ng.conf in vi with the command: vi syslog-ng.conf
    3. Find the line that starts with destination logserver.
    4. Press I to enter Insert mode.
    5. Enter the hostname and port of the SSIM appliance as the destination logserver.
      Example: destination logserver { udp("ssim101" port(514));};
    6. Press Esc to exit insert mode.
    7. Type :wq and press Enter to save and exit vi.




Note: You will need to adjust the logging format with templates (more info can be found in the syslog-ng documentation):
Reference the Unix collector PDF for proper syslog formating.


To make Syslog-ng use the new settings you must restart the syslog service with the command: service syslog restart
In some distrobutions you may need to stop and start the syslog service with the two commands below:

service syslog stop
service syslog start