Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How do I add a SYSLOG server to the SMS?

    • Updated:
    • 19 Oct 2017
    • Product/Version:
    • TippingPoint SMS All
    • TippingPoint Virtual SMS
    • Platform:
Summary
The Security Management System (SMS) server gathers syslog events from monitored devices, which in turn log information about a variety of conditions and operational state changes. You can configure the SMS server to send a copy of these events to other systems. In the Remote Syslog for Events area, you can define remote servers to which you want syslog events to be sent. You can also edit remote server information as well as delete a remote server. To control the number of SMS events that are sent to a remote syslog server, SMS allows you to use a filter to direct a subset of the SMS events to a remote syslog server. Additionally, when you initially configure a connection to a remote syslog server you can choose to only send future events, excluding what could be a sizeable number of historical events.
Details
Public
SettingDescription
Syslog ServerHostname or IP address of the remote syslog server
ProtocolTransport protocol used in sending event notifications to the remote syslog server. Valid options are UDP, TCP, and Encrypted TCP.

Note:
When URI information that includes URI strings is sent using the UDP protocol, data loss can result. For best results in logging URI string information, use either the TCP or Encrypted TCP protocol.
PortPort on the remote syslog server used for communicating syslog events.
Log TypeSyslog format the SMS uses when sending event notifications to the remote syslog server. The format varies depending on the version of the SMS and the event itself. The format is important because the receiving server must know how to interpret the data. The SMS provides the following syslog format options:
  • SMS System: SMS system logging
  • SMS Audit: SMS audit logging
  • Device System: Device system logging
  • Device Audit: Device audit logging
  • Snort Syslog (MARS) [Deprecated]: Send Snort-configured-for-MARS events
  • Snort Syslog V2 [Deprecated]: Send Snort Version 2 events
  • SMS 2.0 / 2.1 Syslog Format: Send SMS v2.0 / 2.1 log events
  • SMS 2.5 Syslog Format: Send SMS v2.5 log events
  • ArcSight CEF Format v3.5 [Deprecated]: Send events to an ArcSight connector (Deprecated – does not support IPv6)
  • ArcSight CEF Format v4.1 [Deprecated]: Send events to an ArcSight connector (Deprecated – adds HTTP context information and IPv6 support)
  • ArcSight CEF Format v4.2: Send events to an ArcSight connector (Recommended – adds HTTP context information, TCIP/XFF client IP, and user information)
Note: SMS and device syslog formats cannot be modified. 
Event QueryDetermines whether the SMS sends all events or a select set of events to the remote syslog server.
FacilityLimits the events send to the remote syslog server to a specific facility level. Facilities are defined by the BSD Syslog Protocol. Refer to RFC 3164.
SeverityLimits the events sent to the remote syslog server to events that match the specified severity.
DelimiterDetermines the character the SMS uses as a delimiter for event data in the syslog. Options include tab, comma, semi-colon, pipe, or space.
TimestampDetermines the timestamp the SMS includes in headers in messages sent to the remote syslog:
  • None – No timestamp is included in the message header
  • SMS current timestamp – Timestamp when the SMS sends the message to the remote syslog server
  • Event timestamp – Original timestamp of the event that is being reported

Procedure:

  1. Log in to the SMS from a client.
  2. On the SMS toolbar, navigate to the Admin > Server Properties tab.
  3. Select the Management tab.
  4. In the Remote Syslog for Events area click Add.
  5. The Edit Syslog Notification Settings dialog box displays.
  6. Enter the required information:
    • Enable: enable the Syslog format.
    • Syslog Server: enter the IP address of the remote Syslog Server
    • Protocol: UDP, TCP, Encrypted TCP
    • Certificate: if Encrypted TCP is selected.
    • Port: enter the listening Port number for the above server.
    • Log Type: from the drop-down menu, select a log type format.
    • Event Query: from the drop-down menu, select an Event Query.
    • Facility: from the drop-down menu, select a Facility.
    • Severity: from the drop-down menu, select a Severity.
    • Delimiter: from the drop-down menu, select a Delimiter.
  7. Optionally, select the desired header information.
  8. Click OK.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000091916
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.