Views: 202
 
Designating a remote system log (SYSLOG) server does not automatically send notifications to that server. You must select the Remote System Log contact for action sets. After you apply these changes, active filters associated with the modified action set will send remote messages to the designated server.

Procedure:

  1. Log in to the SMS from a client.
  2. On the SMS Tool bar select the Admin icon.

null

  1. On the SMS navigation pane, select the Server Properties page

null

  1. On the Server Properties page, select the Syslog tab

null

The top section of the Syslog panel lists the available pre-defined Syslog formats. These formats are not user-configurable. If a custom format is required, you can copy one of the pre-configured formats and edit the same. The bottom section of the Syslog panel displays the remote Syslog server configured, if any.

  1. On the bottom section of the Syslog panel, click the New button. The Create Remote Syslog Notification Settings dialog box will then display.

null

  1. In the Syslog Server box, enter the IP address of the remote collector
  2. Click on Log Type, and from the dropdown box, select the ArcSight CEF Format v4.2 entry.
  3. Click on Facility, and select the Security/Authorization entry from the dropdown box.

This option will send IPS events to the remote Syslog server. If you need to send SMS audit events, you will create a separate Remote Syslog Notification Setting using the Log Audit facility. The System Daemons facility relates to SMS Daemons and is used to capture the SMS health event.

  1. Click OK when completed.

For customers on SMS v4.1 and earlier:

The SMS syslog format "ArcSight CEF," found in SMS 4.1 and earlier, has swapped or missing fields. As such, the ArcSight connector does not receive the expected data.

Workaround: To correct this issue, the ArcSight CEF Format configuration on the SMS must be manually modified by adding a "dvchost" entry and modifying the value for the "cs5" field.

Procedure:

  1. From the SMS client software, navigate to Admin → Server Properties → Syslog.
  2. Select the appropriate Syslog Formats entry (ArcSight CEF Format) from the Syslog Formats section.
  3. Press "Copy" to copy the desired Syslog format. The "Edit" Syslog Format screen displays.
  4. Name the new Syslog format.
  5. In the "Pattern" window, find the entry "cs5=${deviceName}" and change the entry to "cs5=SMS Name" where "SMS Name" is the simple DNS hostname (not FQDN) of the SMS server sending the data to the ArcSight connector.
  6. In the "Pattern" window, find the entry "cs5Label=Device Name" and change the entry to "cs5Label=SMS Name".
  7. While still in the "Pattern" window, add the entry "dvhost=${deviceName}" to the new format.
  8. In the Remote Syslog for Events section, create a new Syslog server, select the newly created Syslog format, and point it to the ArcSight Connector.
Keywords: arcsight connector, sms server, syslog server, configuring, remote system log, configuring the sms server