Configuring a BalaBit Syslog-ng Agent syslog destination
The event logs captured by Microsoft ISA or TMG cannot be parsed by the BalaBit Syslog-ng Agent for Windows, so you must forward your logs to a BalaBit Syslog-ng Premium Edition (PE) for Linux® or UNIX.
About this task
To forward your TMG and ISA event logs, you must specify the IP address for your PE relay and configure a message template for the LEEF format. The BalaBit Syslog-ng PE acts as an intermediate syslog server to parse the events and to forward the information to IBM® QRadar®.
From the Start menu, select .
The Syslog-ng Agent window is displayed.
- Expand the Syslog-ng Agent Settings pane, and click Destinations.
- Double-click Add new Server.
- On the Server tab, click Set Primary Server.
Configure the following parameters:
For the Server Name type the IP address of your BalaBit Syslog-ng PE relay.
For the Server Port type 514 as the TCP port number for events that are forwarded to your BalaBit Syslog-ng PE relay.
- Click the Messages tab.
- From the Protocol list, select Legacy BSD Syslog Protocol.
From the File Message Format pane, in the Message
Template field, type the following code:
Click Apply, and then click OK.
The destination configuration is complete. You are now ready to filter comment lines from the event log.