7.5	Collecting and processing Syslogs

Syslog is a data logging service that is most commonly used in Linux and UNIX based environments. The concept behind Syslogs is that the logging of events and information is entirely handled by a dedicated server called ‘Syslog Server’. This means that unlike Windows and W3C log based environments, regular programs do not log any information. They just send events in the form of data messages (technically known as ‘Syslog Messages’) to a Syslog server that will manage the message and save the data in a log file.

Screenshot 61 - Computer group properties: Syslog processing parameters

In order to process Syslog messages, GFI EventsManager ships with a built-in Syslog Server. This Syslog server will automatically collect, in real-time, all Syslog messages/events sent by Syslog sources and pass them on to the event processing engine. Out-of-the-box GFI EventsManager supports events generated by various network devices manufactured by leading providers including Cisco and Juniper. For more information about supported devices visit: http://kbase.gfi.com/showarticle.asp?id=KBID002868.

A built-in buffer allows the Syslog server to collect, queue and forward up to 30 Syslog messages for batch processing. Buffered logs are by default passed on to the event processing engine as soon as the buffer fills up or at 1 minute intervals whichever comes first.

 

Figure 6 - Syslog messages must be directed to the computer running GFI EventsManager

NOTE: For Syslog message processing, ALL Syslog sources (e.g. workstations, servers, network appliances, etc.) must be configured to send their messages to the computer/IP where GFI EventsManager is installed. This applies also for the computer that is running GFI EventsManager.

In GFI EventsManager, Syslog event processing parameters are configured as follows:

1. Open up the (computer/computer group) properties dialog.

2. Click on the Syslog tab.

3. To enable the Syslog server and listen for messages sent by the computers in a computer group, select the option ‘Accept Syslog Messages from this computer group’.

IMPORTANT: Deleting events from source logs without having them archived or backed-up may lead to legal compliance issues. Please make sure to archive or backup important events according to the standards implied by data retention and data protection regulations.

NOTE 1: The GFI EventsManager Syslog server is by default configured to listen for Syslog messages on port 514. For more information on how to customize Syslog server port settings refer to the ‘Configuring Syslog server communications port’ section in this chapter.

NOTE 2: The built-in Syslog server will only accept Syslog messages sent from the computers that are part of this computer group.

Archiving Syslog events

For information on how to archive events refer to the ‘Archiving events’ section in this chapter.

Selecting Syslog processing rules

For information on how to select event processing rules refer to the ‘Selecting event processing rules’ section in this chapter.