You can configure Syslog Director to receive and redirect syslog messages to a collector. When the Syslog Director sensor is configured, or when a change is made to a sensor setting, you must distribute the settings to the collectors.
Additional syslog collectors automatically appear in Syslog Director if the collector collector configuration is enabled, which is pointed to a collector installed onbox. For example, if you have an offbox collector installed, Syslog Director does not show this collector in the list.
You complete the following procedures to enable and define signatures for each collector that you want to redirect:
To create a Syslog Director collector configuration
On the Director Settings tab, on the Syslog Sensor tab, do the following steps in the order presented:
UDP or TCP
Specify * or any to allow any host to send events to the Syslog Director. If you want to restrict the hosts from which Syslog Director receives events, you can specify multiple host names or IP addresses. Separate multiple host names or IP address by a comma or semicolon.
514 is the standard port for syslog messages. Symantec Security Information Manager is configured to forward all messages that are received on port 514 to port 10514, where Syslog Director can handle them.
To enable syslog collectors to receive syslog events from Syslog Director
To add collector signatures to Syslog Director
A collector signature is a specific pattern that identifies a collector. In individual collectors using the syslog sensor, the documentation has a section on the Syslog Director. The collector signature that is specified in this section is the match signature used. To add collector signatures, click Add. Collectors with syslog sensors are displayed in a drop-down box. Select the collector and add the collector match signature that is specified in the documentation.
To import collector signatures to Syslog Director
To use Syslog Director with syslog sensor collectors that do not have signatures for Syslog Director