Views:
Setting Description
Syslog Server Hostname or IP address of the remote syslog server
Protocol The transport protocol is used to send event notifications to the remote syslog server. Valid options are UDP, TCP, and Encrypted TCP.

Note: When URI information that includes URI strings is sent using the UDP protocol, data loss can result. For best results in logging URI string information, use either the TCP or Encrypted TCP protocol.
Port The port on the remote syslog server is used to communicate syslog events.
Log Type SMS uses the syslog format when sending event notifications to the remote syslog server. The format varies depending on the SMS version and the event itself. The format is important because the receiving server must know how to interpret the data. The SMS provides the following syslog format options:
  • SMS System: SMS system logging
  • SMS Audit: SMS audit logging
  • Device System: Device system logging
  • Device Audit: Device audit logging
  • Snort Syslog (MARS) [Deprecated]: Send Snort-configured-for-MARS events
  • Snort Syslog V2 [Deprecated]: Send Snort Version 2 events
  • SMS 2.0 / 2.1 Syslog Format: Send SMS v2.0 / 2.1 log events
  • SMS 2.5 Syslog Format: Send SMS v2.5 log events
  • ArcSight CEF Format v3.5 [Deprecated]: Send events to an ArcSight connector (Deprecated – does not support IPv6)
  • ArcSight CEF Format v4.1 [Deprecated]: Send events to an ArcSight connector (Deprecated – adds HTTP context information and IPv6 support)
  • ArcSight CEF Format v4.2: Send events to an ArcSight connector (Recommended – adds HTTP context information, TCIP/XFF client IP, and user information)
Note: SMS and device syslog formats cannot be modified. 
Event Query Determines whether the SMS sends all or a select set of events to the remote syslog server.
Facility The events sent to the remote syslog server are limited to a specific facility level. The BSD Syslog Protocol defines facilities. Refer to RFC 3164.
Severity Limits the events sent to the remote syslog server to events that match the specified severity.
Delimiter This parameter determines the character the SMS uses as a delimiter for event data in the syslog. Options include tab, comma, semi-colon, pipe, or space.
Timestamp Determines the timestamp the SMS includes in headers in messages sent to the remote syslog:
  • None – No timestamp is included in the message header
  • SMS current timestamp – Timestamp when the SMS sends the message to the remote syslog server
  • Event timestamp – Original timestamp of the event that is being reported

Procedure:

  1. Log in to the SMS from a client.
  2. On the SMS toolbar, navigate to the Admin > Server Properties tab.
  3. Select the Management tab.
  4. In the Remote Syslog for Events area, click Add.
  5. The Edit Syslog Notification Settings dialog box displays.
  6. Enter the required information:
    • Enable: enable the Syslog format.
    • Syslog Server: enter the IP address of the remote Syslog Server
    • Protocol: UDP, TCP, Encrypted TCP
    • Certificate: if Encrypted TCP is selected.
    • Port: enter the listening Port number for the above server.
    • Log Type: from the drop-down menu, select a log type format.
    • Event Query: from the drop-down menu, select an Event Query.
    • Facility: from the drop-down menu, select a Facility.
    • Severity: from the drop-down menu, select a Severity.
    • Delimiter: from the drop-down menu, select a Delimiter.
  7. Optionally, select the desired header information.
  8. Click OK.
Keywords: syslog server, sms, transport protocol, udp tcp, remote syslog server