Facility and priority of syslog messages
The facility and priority of messages configured in the Guardium syslog can impact how they are consumed by the Security Incident Event Manager (SIEM).
You can send a few types of messages to the syslog:
- Policy Alerts. For more information, see How to create a real-time alert.
- Correlation Alerts. For more information, see Correlation alerts.
- Audit Process results. For more information, see Building Audit Processes.
- Guardium® predefined alerts. See Predefined alerts.
Policy alerts and correlation alerts
When defining a policy or correlation alert, there are five levels of severity that can be picked from the drop down list:
- info
- low
- none
- med
- high
The syslog messages are assigned a specific facility and priority for each configuration of severity:
Severity of Policy Rule | Facility | Priority |
---|---|---|
info | daemon | info |
low | daemon | warning |
none | daemon | warning |
med | daemon | error |
high | daemon | alert |
Audit Process results
The Audit Process results are assigned the following facility and priority:
Severity of Policy Rule | Facility | Priority |
---|---|---|
NA | user | info |