1. In the Enforce Console, navigate to Manage -> Policies -> Repose Rules

2. Create a response rule and add action "Log to Syslog Server", or edit an existing response rule with the action already configured.

3. Specify the Host, Port, Protocol and TLS Client authentication when applicable

4. Populate the Message field with a CEF formatted entry. You can use the example below, or use it as a base line for your own, depending on what information you want to reach the Syslog server.

The CEF:0 in the beginning of the message is a common CEF prefix and it will be used by the Syslog server to identify the message as CEF. The remainder of the example message contains a couple static fields, such as "Broadcom", "DLP, or "16.0". You may modify those as needed. The rest of the message consists of common Incident variables. $VARIABLE_NAME$ will be replaced by actual data from the incident as the message is sent out to the Syslog server.

CEF:0|Broadcom|DLP|16.0|ruleID|$POLICY$|5|INCIDENT_ID=$INCIDENT_ID$ APPLICATION_USER=$APPLICATION_USER$ ENDPOINT_MACHINE=$ENDPOINT_MACHINE$ ENDPOINT_USERNAME=$ENDPOINT_USERNAME$ MACHINE_IP=$MACHINE_IP$ SEVERITY=$SEVERITY$ BLOCKED=$BLOCKED$

5. Specify the level (severity) of the message.

6. Save the changes and add the response rule to a Policy.