Remote System Log
Designating a remote system log as the notification contact sends messages to a syslog server on your network. This is a default contact available in all IPS/TPS action sets. Before using this contact, configure the IP address and port for the syslog server.
CAUTION: Remote syslog, in adherence to RFC 3164, sends clear text log messages using the UDP protocol with no additional security protections. You should only use remote syslog on a secure, trusted network to prevent syslog messages from being intercepted, altered, or spoofed by a third party.
Alert Aggregation and the Aggregation Period - The IPS uses Alert Aggregation to prevent system performance problems resulting from an excessive number of notification requests. Because a single packet can trigger an alert, attacks with large numbers of packets could potentially flood the alert mechanism used to send out notifications. Alert aggregation allows you to receive alert notifications at intervals to prevent this flooding. For example, if the aggregation interval is 5 minutes, the system sends an alert at the first IPS filter trigger collects subsequent alerts and sends them out every five minutes. On the IPS, alert aggregation is controlled by the aggregation period that you configure when you create a notification contact. This setting is required for all notification contacts.
CAUTION: Short aggregation periods can significantly affect system performance. The shorter the aggregation period, the higher the system load. In the event of a flood attack, a short aggregation period can lead to system performance problems.
- On the LSM:
- For IPS: click IPS > Notification Contacts
- For TPS: clcik Policy > Notification Contacts.
- On the Notification Contacts page, click Remote System Log.
- Enter the remote system log's host IP address and port number.
- Select an Alert Facility and a Block Facility: none or select from a range of 0 to 31. The syslog server uses these numbers to identify the message source.
- Select a Delimiter for the generated logs: tab, comma, semicolon, or bar.
- Enter a Remote system log aggregation period in minutes.
- Click Add to table below to add the remote syslog server.
- Repeat steps 3-7 to add additional remote system log servers.
- Click Save to save the changes.
Reference: Local Security Manager User's Guide