Collecting Syslogs
Syslog is a data logging service that is most commonly used by Linux and UNIX based systems. The concept behind Syslogs is that the logging of events and information is entirely handled by a dedicated server called ‘Syslog Server’.
Unlike Windows® and Text log based systems, Syslog enabled devices send events in the form of data messages (technically known as ‘Syslog Messages’) to a Syslog server that interprets and manages message and saves the data in a log file.
In order to process Syslog messagesNotifications/alerts most commonly generated and transmitted to a Syslog server by UNIX and Linux-based systems whenever important events occur. Syslog messages can be generated by workstations, servers as well as active network devices and appliances such as Cisco routers and Cisco PIX firewalls to record failures and security violations amongst other activities., GFI EventsManager ships with a built-in Syslog Server. This Syslog server will automatically collect, in real-time, all Syslog messages/events sent by Syslog sources and pass them on to the event processing engine. Out-of-the-box, GFI EventsManager supports events generated by various network devices manufactured by leading providers including Cisco and Juniper.
Note
For more information about supported devices visit the following KBASE article: http://go.gfi.com/?pageid=esm_syslog_snmp_support
Note
A built-in buffer allows the Syslog server to collect, queue and forward up to 30 Syslog messages at a time. Buffered logs are by default passed on to the event processing engine as soon as the buffer fills up or at one minute intervals; whichever comes first.
Syslog messages must be directed to the computer running GFI EventsManager
Important
Before you start collecting Syslogs, every Syslog event source (workstations, servers and/or network devices) must be configured to send their Syslog Messages to the computer name or IP where GFI EventsManager is installed.
To collect Syslogs:
1. From Configuration tab > Event Sources, right-click an event source or group and select Properties.
Collecting Syslogs - Syslogs options
2. Click Syslog tab and select Accept Syslog messages to EventsManager to enable the collection of Syslogs from that event source/event source group.
3. From the Syslog parsing schema drop-down, select the method that GFI EventsManager Syslog Server interprets Syslog Messages from network devices. Select from:
4. Click Advanced… to use custom windows code page. Specify the code and click OK.
Note
Windows® code page is used to encode international characters to ASCII strings. Since Syslog is not Unicode compliant, GFI EventsManager uses a code page to decode the events. This is only applicable if GFI EventsManager is installed on a machine using a different language than the monitored machines. For more information, refer to: http://go.gfi.com/?pageid=esm_code_page
5. Select ArchiveA collection of events stored in the SQL Server based database backed of GFI EventsManager. events in database to archive collected events without applying events processing rules.
6. Select Process using these rule sets and select the rule sets you want to run against the collected events.
7. Click Apply and OK.
Note
The GFI EventsManager Syslog server is by default configured to listen for Syslog messages on port 514. For more information refer to Configuring the Syslog server communications port.
Important
Deleting event logs without archiving may lead to legal compliance penalties.
Configuring the Syslog server communications port
Configuring Syslog Server communication port
To change the default Syslog ports settings:
1. Click Configuration tab > Options.
2. Right-click Syslog Server Options and select Edit Syslog options…
Syslog server options
4. Select Enable in-built Syslog server on TCP port: and specify the TCP port on which GFI EventsManager will receive/listen for Syslog messages.
5. Select Enable in-built Syslog server on UDP port: and specify the UDP port on which GFI EventsManager will receive/listen for Syslog messages.
6. Click Apply and OK.
Note
When configuring Syslog server port settings, make sure that the configured port is not already in use by other installed applications. This may affect the delivery of Syslog messages to GFI EventsManager.