Configuring Syslog Director with syslog collectors

book

Article ID: 179873

calendar_today

Updated On:

Products

Security Information Manager

Issue/Introduction

 

Resolution

Configuring Syslog Director with syslog collectors

You can configure Syslog Director to receive and redirect syslog messages to a collector. When the Syslog Director sensor is configured, or when a change is made to a sensor setting, you must distribute the settings to the collectors.

Additional syslog collectors automatically appear in Syslog Director if the collector collector configuration is enabled, which is pointed to a collector installed onbox. For example, if you have an offbox collector installed, Syslog Director does not show this collector in the list.

See About Syslog Director 4.3.

A collector signature is a specific pattern that identifies a collector.

You complete the following procedures to enable and define signatures for each collector that you want to redirect:

To create a Syslog Director collector configuration

  1. In the Information Manager console, in the left pane, click System.

  2. On the Product Configurations tab, expand Syslog Director until you see the Default configuration.

    You cannot use the Default configuration.

  3. To create a configuration, right-click Syslog Director, and then click New.

  4. Follow the prompts in the Create a New Configuration Wizard.

    This new configuration should only be applied to a Symantec Event Agent running on an Information Manager server.

  5. Select the new configuration.

  6. On the Director Settings tab, on the Syslog Sensor tab, do the following steps in the order presented:

    • Click Sensor 0.

    • In the sensor property table under the Value column, change any of the following fields.

      Protocol

      UDP or TCP

      Host Names

      Specify * or any to allow any host to send events to the Syslog Director. If you want to restrict the hosts from which Syslog Director receives events, you can specify multiple host names or IP addresses. Separate multiple host names or IP address by a comma or semicolon.


    • In the Port Number field, leave 10514.

      514 is the standard port for syslog messages. Symantec Security Information Manager is configured to forward all messages that are received on port 514 to port 10514, where Syslog Director can handle them.

    • Click Save.

To enable syslog collectors to receive syslog events from Syslog Director

  1. On the Director Settings tab, on the Director Settings sub-tab, click Refresh List.

    The Refresh list automatically displays all of the syslog collectors that are installed on the Information Manager server.

  2. Check the corresponding Redirect check box for each collector that you want to set up to receive syslog events from Syslog Director.

  3. In the left pane, right-click the appropriate configuration, and then click Distribute.

  4. At the prompt to distribute the configuration, click Yes.

  5. In the Configuration Viewer window, click Close.

To add collector signatures to Syslog Director

  1. On the Director Settings tab, on the Director Settings sub-tab, click Advanced Options, and then click Add.

    You should only change collector signatures if directed by Symantec support.

    A collector signature is a specific pattern that identifies a collector. In individual collectors using the syslog sensor, the documentation has a section on the Syslog Director. The collector signature that is specified in this section is the match signature used. To add collector signatures, click Add. Collectors with syslog sensors are displayed in a drop-down box. Select the collector and add the collector match signature that is specified in the documentation.

  2. To reorder the collector signatures, click Move Up or Move Down.

    Collector signatures are handled in order, top to bottom.

    When an event has matched a signature, Syslog Director redirects it to the appropriate collector and does not try to match any other signatures.

    You should place the unique signatures at the top of the list for performance reasons and to eliminate possible false matches with more general signatures.

    You must leave the Generic Syslog Event Collector as the last collector with its collector signature empty.

  3. In the left pane, right-click the appropriate configuration, and then click Distribute.

  4. At the prompt to distribute the configuration, click Yes.

  5. In the Configuration Viewer window, click Close.

To import collector signatures to Syslog Director

  1. Launch the SSIM Client.

  2. In the left pane, click System.

  3. On the Product Configurations tab, click Syslog Director 4.3 > Syslog Director.

  4. Click an existing configuration (not Default.)

  5. On the Director Settings tab, on the Director Settings sub-tab, click Advanced Options.

  6. Click Import.

  7. In the Select Import Type dialog box, click Import Only New Signatures.

  8. Use Move Up or Move Down to position the new signature.

    Make sure that the Generic Syslog Collector is the last collector in the list.

  9. Click Save.

  10. In the middle pane, right-click the configuration, and then click Distribute.

  11. At the prompt to distribute the configuration, click Yes.

  12. In the Configuration Viewer window, click Close.

To use Syslog Director with syslog sensor collectors that do not have signatures for Syslog Director

  • Use the hostname in the syslog message as a unique signature for Syslog Director.

    For example, the host SGS656 sends some syslog messages to UDP(TCP) port 514 on Information Manager. In every syslog event, there is a signature for SGS656:

    "Dec 10 16:37:09 192.168.14.2 Dec 10 14:34:32 SG565 httpd[4446]: unable to authenticate..."

    "Dec 10 16:37:09 192.168.14.2 Dec 10 14:34:32 SG565 fpd[456]: ...."

    You can use the signature "SGS656" in the Syslog Director configuration. All syslog messages that have this signature are sent to the proper collector.