Configure remote syslog objects to enable the system to
record system events in a remote log file.
About this task
If the connection to the remote syslog server drops, the virtual appliance generates
a system audit event. If you are using TCP protocol, the virtual appliance writes
the events to an auxiliary storage file. When the connection is restored,
events that are stored in this file are sent to the remote syslog
server. If the connection is not restored before the storage file
size exceeds, any additional events are dropped. The virtual appliance generates
another system audit event when the connection is reestablished.
Procedure
- From the top-level menu of the Appliance Dashboard,
click .
- In the System Audit Events page, do
one of the following steps.
- Click to display the Add Remote Syslog Object window.
- Select an existing remote syslog object and then click Edit to
display the Edit Remote Syslog Object window.
- Configure the following options.
| Option |
Description |
|---|
| Name |
Specifies a meaningful name for the response. |
| Remote Syslog Collector |
Specifies the fully qualified domain name or IP address of
the host on which you want to save the log. Note: The host must be
accessible to the virtual appliance.
|
| Remote Syslog Collector Port |
Specifies the custom port that is used to connect to the syslog
collector. The default is 514. |
| QRadar Format Enabled |
Select this check box to enable the virtual appliance to
send events in QRadar LEEF format instead of RFC5424 remote syslog
format. |
| Comment |
Type a comment to identify the remote syslog object. |
- Click Save Configuration.
What to do next
After you configure a remote syslog object, add the object
to the Added Objects pane on the System
Audit Events page. Add it so that the virtual appliance initiates
the response when specified events occur.