Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring the IPS/TPS for a Remote SYSLOG server!

    • Updated:
    • 1 Sep 2017
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint NGFW All
    • TippingPoint SecBlade All
    • TippingPoint TPS All
    • TippingPoint Virtual TPS All
    • Platform:
Summary

Remote System Log

Designating a remote system log as the notification contact sends messages to a syslog server on your network. This is a default contact available in all IPS/TPS action sets. Before using this contact, configure the IP address and port for the syslog server.

CAUTION: Remote syslog, in adherence to RFC 3164, sends clear text log messages using the UDP protocol with no additional security protections. You should only use remote syslog on a secure, trusted network to prevent syslog messages from being intercepted, altered, or spoofed by a third party.

Alert Aggregation and the Aggregation Period - The IPS uses Alert Aggregation to prevent system performance problems resulting from an excessive number of notification requests. Because a single packet can trigger an alert, attacks with large numbers of packets could potentially flood the alert mechanism used to send out notifications. Alert aggregation allows you to receive alert notifications at intervals to prevent this flooding. For example, if the aggregation interval is 5 minutes, the system sends an alert at the first IPS filter trigger collects subsequent alerts and sends them out every five minutes. On the IPS, alert aggregation is controlled by the aggregation period that you configure when you create a notification contact. This setting is required for all notification contacts.

CAUTION: Short aggregation periods can significantly affect system performance. The shorter the aggregation period, the higher the system load. In the event of a flood attack, a short aggregation period can lead to system performance problems.

Details
Public

Procedure

  1. On the LSM:
    • For IPS: click IPS > Notification Contacts
    • For TPS: clcik Policy > Notification Contacts.
  2. On the Notification Contacts page, click Remote System Log.
  3. Enter the remote system log's host IP address and port number.
  4. Select an Alert Facility and a Block Facility: none or select from a range of 0 to 31. The syslog server uses these numbers to identify the message source.
  5. Select a Delimiter for the generated logs: tabcommasemicolon, or bar.
  6. Enter a Remote system log aggregation period in minutes.
  7. Click Add to table below to add the remote syslog server.
  8. Repeat steps 3-7 to add additional remote system log servers.
  9. Click Save to save the changes.

 


Reference: Local Security Manager User's Guide

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000088717
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.