Creating a Syslog Alert Response

When configuring a syslog alert response, you can specify the severity and facility associated with the syslog messages to ensure that they are processed properly by the syslog server. The facility indicates the subsystem that creates the message and the severity defines the severity of the message. Facilities and severities are not displayed in the actual message that appears in the syslog, but are instead used to tell the system that receives the syslog message how to categorize it.

Tip

For more detailed information about how syslog works and how to configure it, refer to the documentation for your system. On UNIX systems, the man pages for syslog and syslog.conf provide conceptual information and configuration instructions.

Although you can choose any type of facility when creating a syslog alert response, you should choose one that makes sense based on your syslog server; not all syslog servers support all facilities. For UNIX syslog servers, the syslog.conf file should indicate which facilities are saved to which log files on the server.

Before you begin

Procedure


Step 1

Choose Policies > Actions > Alerts.

Step 2

From the Create Alert drop-down menu, choose Create Syslog Alert.

Step 3

Enter a Name for the alert.

Step 4

In the Host field, enter the hostname or IP address of your syslog server.

Note

The system does not warn you if you enter an invalid IPv4 address (such as 192.168.1.456) in this field. Instead, the invalid address is treated as a hostname.

Step 5

In the Port field, enter the port the server uses for syslog messages. By default, this value is 514.

Step 6

From the Facility list, choose a facility described in Syslog Alert Facilities.

Step 7

From the Severity list, choose a severity described in Syslog Severity Levels.

Step 8

In the Tag field, enter the tag name that you want to appear with the syslog message.

For example, if you wanted all messages sent to the syslog to be preceded with FromMC, enter FromMC in the field.

Step 9

Click Save.


What to do next

Changes take effect immediately, EXCEPT:

If you are using alert responses to send connection logs to a syslog server, you must deploy configuration changes after you edit those alert responses.

If you will use this alert response for security events, you MUST specify the alert response in a policy. See Configuration Locations for Security Event Syslogs.