Note: Designating a remote system log (SYSLOG) server does not automatically send notifications to that server. You must select the Remote System Log contact for action sets. After you apply these changes, active filters associated with the modified action set will send remote messages to the designated server.
Procedure:
- Log in to the SMS from a client.
- On the SMS Tool bar select the Admin icon.
- On the SMS navigation pane select the Server Properties page
- On the Server Properties page select the Syslog tab
The top section of the Syslog panel has a list of the pre-defined Syslog formats available. These formats are not user configurable. If a custom format is required, you can copy one of the pre-configured formats and edit the same. The bottom section of the Syslog panel displays the remote Syslog server configured if any.
- On the bottom section of the Syslog panel click the New button. The Create Remote Syslog Notification Settings dialog box displays.
- In the Syslog Server box enter the IP address remote collector
- Click on Log Type and from the dropdown box select the ArcSight CEF Format v4.2 entry.
- Click on Facility and from the dropdown box select the Security/Authorization entry.
This option will send IPS events to the remote Syslog server. If you need to send SMS audit events then you would create a separate Remote Syslog Notification Setting for that using the Facility of Log Audit. The System Daemons facility relates to SMS Daemons and is used to capture the health event of the SMS.
- Click OK when completed.
For customers on SMS v4.1 and earlier:
SMS syslog format "ArcSight CEF" found in SMS 4.1 and earlier, has swapped or missing fields. As such the ArcSight connector, does not receive the expected data.
Work around: In order to correct this issue the ArcSight CEF Format configuration on the SMS needs to be manually modified by adding a "dvchost" entry and modifying the value for the "cs5" field.
Procedure:
- From the SMS client software navigate to Admin → Server Properties → Syslog.
- From the Syslog Formats section select the appropriate Syslog entry (ArcSight CEF Format).
- Press "Copy" to copy the desired Syslog format. The "Edit" Syslog Format screen displays.
- Name the new Syslog format.
- In the "Pattern" window, find the entry "cs5=${deviceName}" and change the entry to "cs5=SMS Name" where "SMS Name" is the simple DNS host name (not FQDN) of the SMS server sending the data to the ArcSight connector.
- In the "Pattern" window, find the entry "cs5Label=Device Name" and change the entry to "cs5Label=SMS Name".
- While still in the "Pattern" window, add the entry "dvhost=${deviceName}" to the new format.
- In the Remote Syslog for Events section, create a new Syslog server, select the newly created Syslog format and point it to the ArcSight Connector
