Configuring a BalaBit Syslog-ng Agent syslog destination

The event logs captured by Microsoft ISA or TMG cannot be parsed by the BalaBit Syslog-ng Agent for Windows, so you must forward your logs to a BalaBit Syslog-ng Premium Edition (PE) for Linux® or UNIX.

About this task

To forward your TMG and ISA event logs, you must specify the IP address for your PE relay and configure a message template for the LEEF format. The BalaBit Syslog-ng PE acts as an intermediate syslog server to parse the events and to forward the information to IBM QRadar.

Procedure

  1. From the Start menu, select All Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent for Windows.

    The Syslog-ng Agent window is displayed.

  2. Expand the Syslog-ng Agent Settings pane, and click Destinations.
  3. Double-click Add new Server.
  4. On the Server tab, click Set Primary Server.
  5. Configure the following parameters:
    • For the Server Name type the IP address of your BalaBit Syslog-ng PE relay.

    • For the Server Port type 514 as the TCP port number for events that are forwarded to your BalaBit Syslog-ng PE relay.

  6. Click the Messages tab.
  7. From the Protocol list, select Legacy BSD Syslog Protocol.
  8. From the File Message Format pane, in the Message Template field, type the following code:

    ${FILE_MESSAGE}${TZOFFSET}

  9. Click Apply, and then click OK.

    The destination configuration is complete. You are now ready to filter comment lines from the event log.