Creating a Syslog Alert Response
When configuring a syslog alert response, you can specify the severity and facility associated with the syslog messages to ensure that they are processed properly by the syslog server. The facility indicates the subsystem that creates the message and the severity defines the severity of the message. Facilities and severities are not displayed in the actual message that appears in the syslog, but are instead used to tell the system that receives the syslog message how to categorize it.
Tip | For more detailed information about how syslog works and how to
configure it, refer to the documentation for your system. On UNIX systems, the
|
Although you can choose any type of facility when creating a
syslog alert response, you should choose one that makes sense based on your
syslog server; not all syslog servers support all facilities. For UNIX syslog
servers, the
syslog.conf
file should indicate which facilities are
saved to which log files on the server.
Before you begin
-
This procedure is not the recommended way to send syslog messages in many cases. For specifics, see Best Practices for Configuring Security Event Syslog Messaging.
-
Confirm that the syslog server can accept remote messages.
Procedure
Step 1 | Choose . | ||
Step 2 | From the Create Alert drop-down menu, choose Create Syslog Alert. | ||
Step 3 | Enter a Name for the alert. | ||
Step 4 | In the Host field, enter the hostname or IP address of your syslog server.
| ||
Step 5 | In the Port field, enter the port the server uses for syslog messages. By default, this value is 514. | ||
Step 6 | From the Facility list, choose a facility described in Syslog Alert Facilities. | ||
Step 7 | From the Severity list, choose a severity described in Syslog Severity Levels. | ||
Step 8 | In the Tag field, enter the tag name that you want to appear with the syslog message. For example,
if you wanted all messages sent to the syslog to be preceded with
| ||
Step 9 | Click Save. |
What to do next
Changes take effect immediately, EXCEPT:
If you are using alert responses to send connection logs to a syslog server, you must deploy configuration changes after you edit those alert responses.
If you will use this alert response for security events, you MUST specify the alert response in a policy. See Configuration Locations for Security Event Syslogs.