You can configure Syslog Director to receive and redirect syslog messages to a collector. When the Syslog Director sensor is configured, or when a change is made to a sensor setting, you must distribute the settings to the collectors.
Additional syslog collectors automatically appear in Syslog Director if the collector collector configuration is enabled, which is pointed to a collector installed onbox. For example, if you have an offbox collector installed, Syslog Director does not show this collector in the list.
See About Syslog Director 4.3.
A collector signature is a specific pattern that identifies a collector.
You complete the following procedures to enable and define signatures for each collector that you want to redirect:
Enable syslog collectors to receive syslog events from Syslog Director.
See “To enable syslog collectors to receive syslog events from Syslog Director”.
Import collector signatures to Syslog Director, optional.
Some collectors include an xml file that you can use to update collector signatures. This xml file is located in the utils subdirectory of the collector installation directory.
For specific information on the collector signatures that are required for a particular collector, see the quick reference guide for the collector.
To create a Syslog Director collector configuration
In the Information Manager console, in the left pane, click System.
On the Product Configurations tab, expand Syslog Director until you see the Default configuration.
To create a configuration, right-click Syslog Director, and then click New.
Follow the prompts in the Create a New Configuration Wizard.
This new configuration should only be applied to a Symantec Event Agent running on an Information Manager server.
On the Director Settings tab, on the Syslog Sensor tab, do the following steps in the order presented:
In the sensor property table under the Value column, change any of the following fields.
In the Port Number field, leave 10514.
514 is the standard port for syslog messages. Symantec Security Information Manager is configured to forward all messages that are received on port 514 to port 10514, where Syslog Director can handle them.
To enable syslog collectors to receive syslog events from Syslog Director
On the Director Settings tab, on the Director Settings sub-tab, click Refresh List.
The Refresh list automatically displays all of the syslog collectors that are installed on the Information Manager server.
Check the corresponding Redirect check box for each collector that you want to set up to receive syslog events from Syslog Director.
In the left pane, right-click the appropriate configuration, and then click Distribute.
To add collector signatures to Syslog Director
On the Director Settings tab, on the Director Settings sub-tab, click Advanced Options, and then click Add.
You should only change collector signatures if directed by Symantec support.
A collector signature is a specific pattern that identifies a collector. In individual collectors using the syslog sensor, the documentation has a section on the Syslog Director. The collector signature that is specified in this section is the match signature used. To add collector signatures, click Add. Collectors with syslog sensors are displayed in a drop-down box. Select the collector and add the collector match signature that is specified in the documentation.
To reorder the collector signatures, click Move Up or Move Down.
Collector signatures are handled in order, top to bottom.
When an event has matched a signature, Syslog Director redirects it to the appropriate collector and does not try to match any other signatures.
You should place the unique signatures at the top of the list for performance reasons and to eliminate possible false matches with more general signatures.
You must leave the Generic Syslog Event Collector as the last collector with its collector signature empty.
In the left pane, right-click the appropriate configuration, and then click Distribute.
To import collector signatures to Syslog Director
On the Product Configurations tab, click Syslog Director 4.3 > Syslog Director.
On the Director Settings tab, on the Director Settings sub-tab, click Advanced Options.
In the Select Import Type dialog box, click Import Only New Signatures.
Use Move Up or Move Down to position the new signature.
Make sure that the Generic Syslog Collector is the last collector in the list.
In the middle pane, right-click the configuration, and then click Distribute.
To use Syslog Director with syslog sensor collectors that do not have signatures for Syslog Director
Use the hostname in the syslog message as a unique signature for Syslog Director.
For example, the host SGS656 sends some syslog messages to UDP(TCP) port 514 on Information Manager. In every syslog event, there is a signature for SGS656:
"Dec 10 16:37:09 192.168.14.2 Dec 10 14:34:32 SG565 httpd[4446]: unable to authenticate..."
"Dec 10 16:37:09 192.168.14.2 Dec 10 14:34:32 SG565 fpd[456]: ...."
You can use the signature "SGS656" in the Syslog Director configuration. All syslog messages that have this signature are sent to the proper collector.