Adding Devices


Adding Devices

   
Add a device in the user interface using any one of the following menu options:

Adding different device types

Adding Device Groups

You can group your devices into a particular Device Group. The default device groups available are Windows Group, Unix Group and Default Group (which contains all the devices). To add a new host group, click on the Add link beside Device Groups field in Device group management page. You can manage the device groups in the Device Group Management page.

Adding Windows devices

In all Windows devices, ensure that WMI, DCOM are enabled, and logging is enabled for the respective modules/objects. To forward the Windows event logs in syslog format use a third party utility like SNARE.
To add a domain or to update a domain or workgroup, refer to the Domains and Workgroups topic.


1. Select the domain from the drop down menu. The Windows devices in the selected domain will be automatically discovered and listed.
2. Select the device(s) by clicking on the respective checkbox(es). You can easily search for a device using the search box or by filtering based on the OU using OU Filter.
3. Click on the Add button to add the device(s) for monitoring.


 You can add a device from a workgroup by clicking on the Add workgroup device link. This will list out the devices from your workgroups.



 ​1. Choose the workgroup from the Select Workgroup drop down menu. 

 2. Select the device(s) by clicking on the respective checkbox(es).
 3. Click on the 
Add button to add the device(s) for monitoring.

Note: You have the option to 
updatereload and delete a workgroup by clicking on the respective icons next to the Select Domain drop down window. 

         Optionally, you can also manually add the device as shown below by clicking on the Configure Manually link.

        
        1. Enter the Device name or IP address. You can add the device as a Syslog device by clicking the Add as Syslog device checkbox. 
        2. Enter the Username and Password with administrator credentials, and click on the Verify login link.
        3. Click on the Add button to add the device for monitoring. 
 

Caution: If EventLog Analyzer has been installed on a UNIX machine, it cannot collect event logs from Windows devices. However, third party applications can be used to convert the Windows event logs to Syslogs and forward them to EventLog Analyzer.

 

Adding Syslog Devices
 

In the Device Management page, navigate to the Syslog Devices tab and click on the +Add Device(s) button. 

 


Enter the device name or IP address in the Device(s) field and click on the Add button. Follow the steps below to automatically discover and add the Syslog devices in your network:
 

1. Click on the Discover & Add link in the Add Syslog Devices window. You can discover the Syslog devices in your network based on the IP range (Start IP to End IP) or CIDR.
 


 

2. Enter the Start IP and End IP or the CIDR range in order to discover the Syslog devices. 

 

 

3. Pick the SNMP credentials to automatically discover the Syslog devices in your network. By default, the public SNMP credentials can be used to scan the Syslog devices in your network.

 

4. You may also add a SNMP credential by clicking on the +Add Credential button. Once you pick the SNMP credential, click on the Scan button to automatically discover the Syslog devices in the specified IP or CIDR range. 

 

5. Select the device(s) by clicking on the respective checkbox(es). You can easily search for a device using the search box or by filtering based on the Device Type and Vendor. 

 

 

6. Click on the Add Device(s) button to add the devices for monitoring.
 

Once a Unix device has been added, you will be prompted to Configure Auto Log Forward

 

Adding Common Event Format (CEF) Devices
 

1. Login to the application or device which supports CEF log format. 

2. Go to syslog server configuration.

3. In the field for Log Format, select CEF Format.

4. In the Syslog Server IP address field, enter the <EventLog Analyzer IP address>.

5. Enter the syslog port and save the configuration.

 

To add CEF devices to EventLog Analyzer, click here.

Adding Other Devices

In the Device Management page, navigate to the Other Devices tab and select the device type as required. 


1. Select the Device Type as ESXi/IBM AS/400.
2. Enter the Device Name
3. Specify the Syslog Port No. 
4. Click on the Add button to add the device for monitoring. 


Adding IBM iSeries (AS/400) devices

 

Keep the ports 446-449, 8470-8476, 9470-9476 open in EventLog Analyzer to receive IBM AS/400 machine logs.
In the Device Management page, navigate to the Other Devices tab and click on the Add Device(s) button. This will open the Add Device(s) window. 
 

    

  1. Choose the Device type as IBM AS/400.

  2. Use the Device Name box to type a single device name, or a list of device names separated by commas.

  3. Specify the Monitor Interval, to configure the frequency at which EventLog Analyzer should fetch logs from the IBM AS/400 machines. The default (and minimum) monitor interval is 10 minutes.

  4. Enter credentials (Login Name and Password) with admin privileges. Verify the login using the 'Verify Login' link beside the password text.

  5. Select the Date Format and the Delimiter. This is the date format used in the logs that will be collected from the IBM AS/400 devices. 

  6. Once you are done, click Add and Close to add this device and return to the list of device monitored, or click Add to add this device, and then add more devices.

    To import SSL certificate, follow the steps below:

     

    1. Save the SSL certificate in the location C:\test.cer

    2. In the command prompt navigate to <installation folder

    3. Run the command keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\test.cer

    4. Now provide the password when prompted. The default password is Changeit

    5. To trust the certificate press Y

    6. Restart the EventLog Analyzer server. The certificate will be successfully added.

 

Note: The credentials provided must have an authority level of 50. Otherwise, EventLog Analyzer will not be able to login to fetch History logs from these devices.

 

Adding VMware (ESXi) devices

  1. In the Device Management window, navigate to the Other Devices tab and select the device type as ESXi. Add the VMware device as a UNIX device as per the steps given above.

  2. Configure the syslog daemon in the VMware device as per the steps given below.

Adding Oracle Application Server

 

Oracle Server Configuration

Reference: http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/auditing.htm#CEGBIIJD

 

       For Oracle server installed in Windows platform

ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;

 

For Oracle Server installed in Unix platform

To enable Oracle syslog auditing, follow the procedure given below:

  1. Change audit parameters using the below command:
    ALTER SYSTEM SET AUDIT_TRAIL=OS SCOPE=SPFILE;
  2. Manually add and set the AUDIT_SYSLOG_LEVEL parameter in the initialization parameter file, initsid.ora.

The AUDIT_SYSLOG_LEVEL parameter is set to specify a facility and priority in the format AUDIT_SYSLOG_LEVEL=facility.priority.

facility: Describes the part of the operating system that is logging the message. Accepted values are user, local0–local7, syslog, daemon, kern, mail, auth, lpr, news, uucp, and cron.

The local0–local7 values are predefined tags that enable you to sort the syslog message into categories. These categories can be log files or other destinations that the syslog utility can access. To find more information about these types of tags, refer to the syslog utility MAN page.

priority: Defines the severity of the message. Accepted values are notice, info, debug, warning, err, crit, alert, and emerg.

The syslog daemon compares the value assigned to the facility argument of the AUDIT_SYSLOG_LEVEL parameter with the syslog.conf file to determine where to log information.

For example, the following statement identifies the facility as local1 with a priority level of warning:

AUDIT_SYSLOG_LEVEL=local1.warning

See Oracle Database Reference for more information about AUDIT_SYSLOG_LEVEL.

  1. Log in to the machine that contains the syslog configuration file, /etc/syslog.conf, with the superuser (root) privilege.

  2. Add the audit file destination to the syslog configuration file /etc/syslog.conf.

For example, assuming you had set the AUDIT_SYSLOG_LEVEL to local1.warning, enter the following:

local1.warning /var/log/audit.log

This setting logs all warning messages to the /var/log/audit.log file.

  1. Restart the syslog logger:

$/etc/rc.d/init.d/syslog restart

Now, all audit records will be captured in the file /var/log/audit.log through the syslog daemon.

  1. Restart the Oracle server so that the changes take effect.

Note: When logged in as SYSDBA/SYSOPER, Oracle database provides limited information on database activity monitoring. 
Hence, to get the complete audit trail activities of Oracle database, we suggest that you log in as a user with privilege other than SYSDBA/SYSOPER​​.

 

Adding Print Servers

To configure Print Servers for which you want to monitor the logs carry out the procedure given below.

Print Server Configuration

Enable Print Server Log: Go to Event Viewer > Application and Service Logs > Print Service. Right click on this and select 'Enable Log'. This will enable logging for the corresponding 'Admin', 'Debug' or 'Operational' processes. The logs can be viewed in Event Viewer.

 

Note: If the print server device is a 64-bit Windows OS machine (i.e., Windows Vista and above), carry out the following registry configuration:
  • Open the registry editor 'regedit' of the print server machine in the Command Line Window.
  • Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
  • To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-PrintService/Operational or Microsoft-Windows-PrintService/Admin or Microsoft-Windows-PrintService/Debug as per your logging process requirement.
  • For instance, if you need to enable logging for the Operation process, create a new key with the name Microsoft-Windows-PrintService/Operational.

This will convert the log type to 'Administrative' thus enabling you to perform searches and generate reports out of these logs.

This configuration is not required for a 32-bit Windows OS versions.

 

In order to obtain the document name, you have to enable the audit policy:

Computer Configuration>Administrative Templates>Printers>Allow job name in event logs

(or) Registry edit:
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows NT\Printers] "ShowJobTitleInEventLogs"=dword:00000001

 

 

 

 

Adding Terminal Servers
 

In the Settings Configurations page, under Manage Applications Sources, click on Add live device (or) navigate to the Home tab > Applications > Actions: +Terminal

  • The Configure App Server page opens up.
  • Enter the name of the device. You can use the Existing Device link for an existing device.
  • Choose the Application Type as Terminal.
  • Click on the Add button.
  • After adding the Terminal Server in EventLog Analyzer, carry out the configuration given below on your Terminal Server.

Configuring Terminal Server: Open Event Viewer > Application and Service Logs > Microsoft > Windows > TerminalServices-Gateway > Operational and right click and select 'Enable Log'. This will enable logging for the corresponding 'Gateway' or 'Operational' processes. The logs can be viewed in Event Viewer.

 

Note: If the terminal server device is a 64-bit Windows OS machine (i.e., Windows Vista and above), carry out the following registry configuration::

  • Open the registry editor 'regedit' of the Terminal Server machine in the Command Line Window.
  • Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\
  • To create a new key, right click on eventlog, click new > key. You can name the key as Microsoft-Windows-TerminalServices-Gateway/Operational. 

This will convert the log type to 'Administrative' thus enabling you to perform searches and generate reports out of these logs.

The above configuration is not required for 32-bit Windows OS versions.

 

Enabling Windows Firewall Logs

To monitor the Windows Firewall logs, you need to initially add the Windows device from which the Firewall logs are to be collected.

For EventLog Analyzer to collect Windows Firewall logs, you must modify the local audit policy of added the Windows device and enable all firewall related events. To do this, follow the below procedure:

  1. Open the command prompt.

  2. Execute the following commands to enable logging of all firewall-related events: 
    auditpol.exe /set /category:"Policy Change" /subcategory:"MPSSVC rule-level policy change" /success:enable /failure:enable 
    auditpol.exe /set /category:"Policy Change" /subcategory:"Filtering Platform policy change" /success:enable /failure:enable 
    auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Main Mode" /success:enable /failure:enable 
    auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Quick Mode" /success:enable /failure:enable 
    auditpol.exe /set /category:"Logon/Logoff" /subcategory:"IPsec Extended Mode" /success:enable /failure:enable 
    auditpol.exe /set /category:"System" /subcategory:"IPsec Driver" /success:enable /failure:enable 
    auditpol.exe /set /category:"System" /subcategory:"Other system events" /success:enable /failure:enable 
    auditpol.exe /set /category:"Object Access" /subcategory:"Filtering Platform packet drop" /success:enable /failure:enable 
    auditpol.exe /set /category:"Object Access" /subcategory:"Filtering Platform connection" /success:enable /failure:enable

  3. Restart the device (or) force a manual refresh by using the following command: gpupdate /force

 

Enabling Hyper V logging

To monitor Hyper V Logs, add the Windows Server from which the Hyper V logs are to be collected.

For EventLog Analyzer to collect Hyper V logs, follow the below procedure in the respective Windows device:

  1. Open your Event Viewer.

  2. Go to Application and Service Logs>Microsoft>Windows.

  3. Right click on the following and select 'Enable Log':
    • Hyper-V-Config
    • Hyper-V-High-Availability
    • Hyper-V-Hypervisor
    • Hyper-V-Integration
    • Hyper-V-SynthFC
    • Hyper-V-SynthNic
    • Hyper-V-SynthStor
    • Hyper-V-VID
    • Hyper-V-VMMS

This will enable logging of Hyper V Logs and the logs can be viewed in Event Viewer.

 

To perform searches and generate reports out of these logs, carry out the following registry configuration on the respective Windows machine:

  1. Open the registry editor, 'regedit' in a Command Line Window.

  2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog

  3. Right click on 'eventlog' and create new keys with the following names:
    • Microsoft-Windows- Hyper-V-Config
    • Microsoft-Windows-Hyper-V-High-Availability
    • Microsoft-Windows-Hyper-V-Hypervisor
    • Microsoft-Windows-Hyper-V-Integration
    • Microsoft-Windows- Hyper-V-SynthFC
    • Microsoft-Windows-Hyper-V-SynthNic
    • Microsoft-Windows- Hyper-V-SynthStor
    • Microsoft-Windows- Hyper-V-VID
    • Microsoft-Windows- Hyper-V-VMMS
       

Note: EventLog Analyzer supports log collection from any device which has remote logging capability, via UDP or TCP protocol. The default UDP ports are 513,514 and the default TCP port is 514 in EventLog Analyzer.

Depending on the requirements in your environment, you can choose the suitable protocol for log collection.


Configuring the Syslog Service on a UNIX devices

Note: Please take a note of the default port numbers used for the different protocols. 

Default port number           protocol used

513 & 514                             UDP

514                                       TCP

513                                       TLS

 

 

*.*<space/tab>@@<eventloganalyzer_server_name>:<port_no> at the end, where <server_name> is the name of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

 

  • For TLS based log collection:
  • Prerequisites:

  • Enable HTTPS and configure a valid certificate in server.xml. Click here to know how to configure a valid SSL certificate. 

  • Only pfx format is supported for storing certificate, if you use keystore format, please convert it to pfx.
  •  

     

    Using self-signed certificates: 

  • After applying a self-signed certificate, a file named ca.crt will be created in the location  <EventLogAnalyzer_Home>/Certificates.
  • Use this file as the root certificate while configuring log forwarding in clients.
  •  

    Using other certificates:

  • For configuring log forwarding,  get the root certificate from the certificate vendor. 

  • After checking the prerequisites, append the below comments in <location>:
  • $DefaultNetstreamDriverCAFile <CACertificate>
    $ActionSendStreamDriver gtls
    $ActionSendStreamDriverMode 1
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer <hostname>

    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>

    Save the configuration and exit the editor.

     

    Note:  If you want to use a different port other than the default ports as specified above, please specify it in the port management settings.

    Restart the syslog service on the device using the command:

    /etc/rc.d/init.d/syslog restart

     

    Note: To configure the syslog-ng daemon in a Linux device, append the following entries at the end of /etc/syslog-ng/syslog-ng.conf

     

    For UDP based log collection:

    *.*<space/tab>@<eventloganalyzer_server_name>:<port_no> at the end of the configuration file, where <eventloganalyzer_server_name> is the DNS name or IP address of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

    For TCP based log collection:

    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no> at the end, where <server_name> is the DNS name or IP address of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

    Note: Ensure that EventLog Analyzer server that you provide is reachable from the Syslog device.

     

    For TLS based log collection:

    destination d_eventloganalyzer { tcp("<hostname>" port(<port>)tls(ca_dir("<CACertificate>") ); }; 

    log { source(src); destination(eventloganalyzer); };

    Note: The above configuration will only enable forwarding of machine logs to the EventLog Analyzer server.


    Forwarding audit logs to the EventLog Analyzer Server

    The below given configurations have to be done in Linux devices under rsyslog.conf (or) syslog.conf :


    1. Under the MODULES section, check whether the "$ModLoad imfile" is included. (This module "imfile" converts any input text file into a syslog message,which can then be forwarded to the EventLog Analyzer Server.)
    2. The following directives contain the details of the external log file:

      $InputFileName <Monitored_File_Absolute_Path>

      $InputFileStateFile <State_Filename>

      $InputFileSeverity <Severity >

      $InputFileFacility <Facility >

      $InputRunFileMonitor

    3. To forward the logs we must provide this line: <Facility>.<Severity> @Host-Ip:Port

    Example:

    $InputFileName /var/log/sample.log

    $InputFileStateFile sample

    $InputFileSeverity info

    $InputFileFacility local6

    local6.info @eventloganalyzer-Server:514

    Here /var/log/sample.log is the external file to be forwarded.

    Note:

    1. These instructions can be applied to all Linux devices.
    2. Please use a unique <State_Filename> for different <Monitored_File_Absolute_Path>.
    3. When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux) won't allow the audit logs to be read. In that case, the audit logs can be forwarded by adding "active=yes" in etc/audisp/plugins.d/syslog.conf:

    Configuring the Syslog Service on a Mac OS devices

    1. Login as root user and edit the syslog.conf file in the /etc directory.
    2. Append *.*<tab>@<server_IP> at the end, where <server_IP> is the IP Address of the machine on which EventLog Analyzer is running.

      Note: Ensure that the EventLog Analyzer server IP address is reachable from the MAC OS device. 

    3. Save the file and exit the editor.
    4. Execute the below commands to restart the syslog device:

    $ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist

    $ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

     

    Note: TLS option is not available for Syslog.

     

    Configuring the Syslog Service on a HP-UX/Solaris/AIX Device

    1. Login as root user.

    2. Edit the syslog.conf file in the /etc directory as shown below.

    *.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;*.debug<tab-separation>@<ela_server_name>

    where <ela_server_name> is the name of the machine where EventLog Analyzer is running. Ensure that there is only a tab separation in between *.debug and @<ela_server_name>.

    Note: For a Solaris device, it is enough to include *.debug<tab-separation>@<ela_server_name> in the syslog.conf file.
    1. Save the configuration and exit the editor.

    2. Edit the services file in the /etc directory.

    3. Change the syslog service port number to 514, which is one of the default listener of EventLog Analyzer. But if you choose a different port other than 514 then remember to enter that same port when adding the device in EventLog Analyzer.

    4. Start the syslog daemon on the OS with the appropriate command:

    (for HP-UX) /sbin/init.d/syslogd start
    (for Solaris) /etc/init.d/syslog start
    (for Solaris 10) svcadm -v restart svc:/system/system-log:default
    (for IBM AIX) startsrc -s syslogd

     

    Configuring the Syslog Service on VMware

    All ESX and ESXi devices run a syslog service (syslogd), which logs messages from the VMkernel and other system components to a file.

    To configure the syslog service on an ESX device:

    Neither vSphere Client nor vicfg-syslog can be used to configure syslog behavior for an ESX device. To configure syslog for an ESX device, you must edit the /etc/syslog.conf file.

    To configure the syslog service on an ESXi device:

    Log file path: Specifies a datastore path to the file where syslogd logs all messages.

    Remote host: Specifies a remote device to which syslog messages are forwarded. In order to receive the forwarded syslog messages, your remote host must have a syslog service installed.

    Remote port: Specifies the port used by the remote host to receive syslog messages.

    1. In the vSphere Client inventory, click on the host.

    2. Click the Configuration tab.

    3. Click Advanced Settings under Software.

    4. Select Syslog in the tree control.

    5. In the Syslog.Local.DatastorePath text box, enter the datastore path to the file where syslog will log messages. If no path is specified, the default path is /var/log/messages.

    The datastore path format is [<datastorename>] </path/to/file> where the path is relative to the root of the volume backing the datastore.

    Example: The datastore path [storage1] var/log/messages maps to the path / vmfs/volumes/storage1/var/log/messages.

    1. In the Syslog.Remote.Devicename text box, enter the name of the remote host where syslog data will be forwarded. If no value is specified, no data is forwarded.

    2. In the Syslog.Remote.Port text box, enter the port on the remote host where syslog data will be forwarded. By default Syslog.Remote.Port is set to 514, the default UDP port used by syslog. Changes to Syslog.Remote.Port only take effect if Syslog.Remote.Devicename is configured.

    3. Click OK.

    Enabling Stackato Logging

    EventLog Analyzer automatically adds and collects your stackato logs upon executing the following command in your tty console:

    $kato config set logyard drainformats/<Format Name>[<PRI>{{.Text}}]
    For UDP based log collection:
    $kato drain add ela udp://<ela_server_name>:<udp_port_no> -f systail-ela-local

    For TCP based log collection:

    $kato drain add ela tcp://<ela_server_name>:<tcp_port_no> -f systail-ela-local

    Example:

    $kato config set logyard drainformats/systail-ela-local[{<13>{{.Text}}]

    $kato drain add ela udp://ELA:514 -f systail-ela-local

    By default, EventLog Analyzer uses 513 and 514 as default UDP ports. In case you have changed the UDP port number, specify the same here.

    Logyard will now drain all logs in the format name as specified to EventLog Analyzer's UDP port number as given. EventLog Analyzer can now collect all the stackato logs as syslogs and analyze them with special reports.

     

    Configuring Zscaler NSS

    Navigate to Edit NSS Feed in the console and specify the following details:

     

             1. Enter the EventLog Analyzer server IP address in the field SIEM IP address.

             2. Enter 514 as the SIEM TCP Port. If you have changed the default TCP port, then specify the changed port number here.

             3. Select the Field Output Type as Tab-separated.

             4. Append <96> at the start of the Feed Output Format before "%s... which specifies to EventLog Analyzer that the log messages must be processed.

    Configuring the Syslog Service on Arista Switches

    1. Login to the Arista Switch
    2. Go to the config mode.
    3. Configure the Switch as below to send the logs to the Eventlog Analyzer Server
      • Arista# config terminal
      • Arista(config)# logging host < Eventlog_Server_Ip > < port_number > protocol [tcp/udp]
      • Arista(config)# logging trap information
      • Arista(config)# copy running-config startup-config

    To configure command executed logs:
    To configure logon logs:

    Configuring the Syslog Service on Cisco Switches

    1. Login to the switch.

    2. Go to the config mode.

    3. Configure the switch as below (here, we have used Catalyst 2900) to send the logs to the EventLog Analyzer server:
      <Catalyst2900># config terminal
      <Catalyst2900>(config)# logging <ela_server_IP>

      For the latest catalyst switches
      Catalyst6500(config)# set logging <ela_server_IP>

      We can also configure logging facility and trap notifications with the below commands:
      Catalyst6500(config)# logging facility local7
      Catalyst6500(config)# logging trap notifications

    Note: The same commands are also applicable for Cisco Routers.
    Please refer Cisco® documentation for detailed steps on configuring the Syslog service in the respective routers or switches. Contact eventlog-support@manageengine.com if the Syslog format of your Cisco devices are different from the standard syslog format supported by EventLog Analyzer.

    Configuring the Syslog Service on HP Switches

    1. Login to the switch.
    2. Enter the following commands.
      HpSwitch# configure terminal
      HpSwitch(config)#  logging severity debug
      HpSwitch(config)#  logging <ELA IP_ADDRESS>

    Configuring the Syslog Service on Cisco devices   

    To configure the Syslog service on Cisco devices, follow the steps below:

    1. Login to the Firewall.
    2. Go to the config mode;
    3. Configure the switch as given below (here, we have used Catalyst 2900) to send the logs to the EventLog Analyzer server:
      Cisco-ASA# config terminal
      Cisco-ASA (config)# logging host <EventLog _server_IP> [TCP/UDP]/< Port_Number >
    Note: The default UDP port is 514. The default TCP port is 1470.

    Cisco-ASA (config)# logging trap information

    Cisco-ASA (config)# logging facility local7

    Configuring the Syslog Service on Cisco Firepower devices

    Step 1: Syslog server configuration 

    To configure a Syslog Server for traffic events, navigate to Configuration > ASA Firepower Configuration > Policies > Actions Alerts and click the Create Alert drop-down menu and choose option Create Syslog Alert. For web interfaces, navigate to Policies > Actions Alerts. Enter the values for the Syslog server.

    Step 2: Enable external logging for Connection Events 

    Step 3: Enable external logging for Intrusion Events

    Configuring the Syslog Service on SonicWall devices

    To configure the Syslog service on SonicWall devices, follow the steps below:

    1. Login to the SonicWall device as an administrator.
    2. Navigate to Log > Automation, and scroll down to Syslog Servers.
    3. Click on the Add button.

    Use a web browser to connect to the SonicWall management interface and login with your username and password.

    1. Click on the Log button on the left menu. This will open a tabbed window in the main display.
    2. Click on the Log Settings tab.
    3. Under Sending the Log, enter the IP address of the machine running the Kiwi Syslog Server into the field Syslog Server 1. If you are listening on a port other than 514, enter that value in the field Syslog server port 1.
    4. Under Automation, set the Syslog format to Enhanced Syslog.
    5. Under Categories > Log, check all the types of events that you would like to receive Syslog messages for.
    6. Click on the Update button.

     

    For SonicOS 6.5 and above:

    1. Login to the SonicWall device as an administrator.
    2. Click on Manage tab and expand Log Settings> SYSLOG
    3. Click Add under Syslog Servers.
    4. From the Add Syslog Server window, enter the IP address or host name of the Eventlog Analyzer server.
    5. Enter the port number and set the Server Type to Syslog.
    6. Set the Syslog format to Enhanced Syslog.
    7. Click OK to configure.

    A reboot of the SonicWall may be required for the new settings to take effect.

    Configuring the Syslog Service on Juniper devices   

    To configure the Syslog service in your Juniper devices, follow the steps below:

    1. Login to the Juniper device as an administrator
    2. Navigate to the Configure tab. 
    3. Expand CLI Tools on the left pane, click on CLI editor in the subtree, and navigate to syslog under system.
    4. Insert the host node along with the required values such as the hostname, severity, facility and log prefix.
    5. Click on Commit to save the changes. To view the changes, click on the CLI viewer

    Once you have completed the configuration steps, the logs from your Juniper device will be automatically forwarded to the EventLog Analyzer server.                                                            

    Configuring the Syslog Service on PaloAlto devices

    To configure the Syslog service in your Palo Alto devices, follow the steps below:

    1. Login to the Palo Alto device as an administrator.
    2. Navigate to Device > Server Profiles > Syslog to configure a Syslog server profile. 
    3. Configure Syslog forwarding for Traffic, Threat, and WildFire Submission logs. First, navigate to Objects > Log Forwarding, and click on Add to create a log forwarding profile. 
    4. Assign the log forwarding profile to security rules. 
    5. Configure Syslog forwarding for System, Config, HIP match, and Correlation logs. 
    6. Click on Commit for the changes to take effect. 

    Source: https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/monitoring/configure-syslog-monitoring.html

     

    For version 7.1 and above:

    1. Login to the Palo Alto device as an administrator.
    2. Configure a Syslog server profile for the EventLog Analyzer server
        • Select Device > Server Profiles > Syslog.
        • Click Add and provide a name for the profile.
        • If the firewall has more than one virtual system (vsys), select the Location (vsys or Shared) where this profile is available.
        • For the EventLog Analyzer server, click Add and enter the requested information.
        • Click OK.
    3. Configure syslog forwarding for Traffic, Threat, and WildFire Submission logs.
        • Create a log forwarding profile.
            • Select Objects > Log Forwarding, click Add, and enter a Name to identify the profile.
            • For each log type and each severity level or WildFire verdict, select EventLog Analyzer's Syslog server profile and click OK.
        • Assign the log forwarding profile to security rules.
    4. Configure syslog forwarding for System, Config, HIP Match, and Correlation logs.
        • Select Device > Log Settings.
        • For System and Correlation logs, click each Severity level, select EventLog Analyzer's syslog server profile, and click OK.
        • For Config, HIP Match, and Correlation logs, edit the section, select EventLog Analyzer's syslog server profile, and click OK.
    5. Click Commit to save your changes.

    Source: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/monitoring/configure-syslog-monitoring

     

    Once you have completed the configuration steps, the logs from your Palo Alto device will be automatically forwarded to the EventLog Analyzer server. 

     

    Configuring the Syslog Service on Fortinet devices

    To configure the Syslog service in your Fortinet devices (FortiManager 5.0.7 and above) follow the steps below:

    1. Login to the Fortinet device as an administrator.
    2. Define the Syslog Servers either through the GUI System Settings > Advanced > Syslog Server or with CLI commands:
      config system syslog
      edit <server name>
      set ip <Syslog server IP>
      end
    3. Enable sending FortiManager local logs to the EventLog Analyzer server via CLI.
      config system locallog syslogd setting
      set syslog-name
      < Remote syslog server name, defined at previous step>
      set severity <emergency | alert | critical | error | warning | notification | information | debug> (Least severity level to log)
      set status <enable | disable>
      set csv Whether to enable CSV.
      set facility Which facility for remote syslog.
      set port Port that server listens at.
      end

    Once you have completed the configuration steps, the logs from your Fortinet device will be automatically forwarded to the EventLog Analyzer server.

    For more details and for other versions, refer source: http://kb.fortinet.com/kb/documentLink.do?externalID=FD35387

     

    Configuring the Syslog Service on Check Point devices

    To configure the Syslog service in your Check Point devices, follow the steps below:

    1. Login to the Check Point device as an administrator.
    2. To override the lock, click on the lock icon on the top-left corner of the screen.
    3. Click Yes on the confirmation pop-up that appears.
    4. Navigate to System Management > System Logging.
    5. Under the Remote System Logging section, click Add.
    6. In the Add Remote Server Logging Entry window, enter the IP address of the remote server (EventLog Analyzer server).
    7. From the Priority drop-down, select the severity level of the logs to be sent to the remote server.
    8. Click OK.

    Configuring the Syslog Service on NetScreen devices

    The Syslog service in your NetScreen devices, can be configured in two ways:

     

    Enabling Syslog Messages using the NetScreen Device:

    1. Login to the NetScreen GUI.
    2. Navigate to Configuration> Report Settings> Syslog.
    3. Check the Enable Syslog Messages check-box.
    4. Select the Trust Interface as Source IP and enable the Include Traffic Log option.
    5. Enter the IP address of the Eventlog Analyzer server and Syslog port (514) in the given boxes. All other fields will have default values.
    6. Click Apply to save the changes.

    Enabling Syslog Messages the CLI Console:

    Execute the following commands:

     

    Configuring the Syslog Service on WatchGuard devices

    To configure the Syslog service in your WatchGuard devices, follow the steps below:

    1. Login to the WatchGuard device as an administrator.
    2. Navigate to System> Logging> Syslog.
    3. Enable the Send log messages to the syslog server at this IP address checkbox.
    4. Type the EventLog Analyzer server's IP address in the box provided for IP address.
    5. Select 514 in the box provided for Port.
    6. Select Syslog from the Log Format drop-down list.
    7. If you want to include date and time in the log message details, enable the Time stamp checkbox.
    8. If you want to add serial numbers in log message details, enable Serial number of the device checkbox.
    9. Select a syslog facility for each type of log message in the Syslog settings section drop-down list.
      • For high-priority syslog messages, such as alarms, select Local0.
      • To assign priorities for other types of log messages select Local1 - Local7.
      • To not send details for a message type, select NONE.
      • Note: Lower numbers have greater priority.
    10. Click SAVE

     

    Configuring the Syslog Service on Sophos devices

    To configure the Syslog service in your Sophos devices, follow the steps below:

     

    Enabling Sophos-UTM Syslog:

    1. Login to Sophos UTM as administrator.
    2. Navigate to Logging & Reporting > Log Settings >Remote Syslog Server
    3. Enable Syslog Server Status
    4. Configure the syslog server by filling the following details

      Name: < Any >
      Server: < EventLog Analyzer server IP Address >
      Port: < 513 >

    5. Navigate to Remote Syslog > select the logs that has to be sent to the EventLog Analyzer server.
    6. Click on Apply

    Enabling Sophos-XG Syslog:

    1. Login to Sophos-XG as administrator.
    2. Navigate to System > System Services > Log Settings > Syslog Servers > Add
    3. Configure the syslog server by filling the following details

      Name: < Any >
      Server: < EventLog Analyzer server IP Address >
      Port: < 513 >
      Facility: < DAEMON >
      Severity: < INFORMATION >
      Format: < Standard Format >

    4. Click on Save
    5. Navigate to System > System Services > Log Settings> select the logs that has to be sent to the EventLog Analyzer Server.

     

    Configuring the Syslog Service on Cyberoam devices

    To configure the Syslog service in your Cyberoam devices, follow the steps below:

    Enabling Cyberoam Syslog:

    1. Login to Cyberoam as administrator.
    2. Navigate to Logs & Reports > Configuration > Syslog Server > Syslog Servers > Add
    3. Configure the syslog server by filling the following details

      Name: < any >
      Server: < EventLog Analyzer server IP Address >
      Port: < 513 >
      Facility: < DAEMON >
      Severity: < INFORMATION >
      Format: < Cyberoam Standard Format >

    4. Click on Save
    5. Navigate to Logs & Reports > Configuration > Log Settings > select the logs that has to be sent to the EventLog Analyzer Server.

     

    Configuring the Syslog Service on Barracuda devices

    The Syslog service in your Bararacuda devices, can be configured by following these five steps:

    1. Enable the Syslog Service 
      • Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
      • Click on Lock.
      • Enable the Syslog service.
      • Click Send Changes and Activate.
    2. Configure Logdata Filters
      • Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
      • From the menu select Logdata Filters.
      • Click on Configuration ModeSwitch to Advanced View > Lock
      • Click on + icon to add a new entry.
      • Enter a descriptive name in the Filters and click OK.
      • In the Data Selection table, add the log files to be streamed. (e.g. Fatal_log, Firewall_Audit_Log, Panic_log)
      • In the Affected Box Logdata section, define what kind of box logs are to be affected by the Syslog daemon from the Data Selection list.
      • In the Affected Service Logdata section, define what kind of logs created by services are to be affected by the Syslog daemon from the Data Selection list.
      • Click on Send Changes and Activate.
    3. Configure Logstream Destinations
      • Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
      • From the menu select Logstream Destinations.
      • Expand the Configuration ModeSwitch to Advanced View > Lock.
      • Click on icon to add a new entry.
      • Enter a descriptive name and click OK
      • In the Destinations window select the Remote Loghost.
      • Enter the EventLog Analyzer server IP address as destination IP address in the Loghost IP address field.
      • Enter the destination port for delivering syslog message as 513, 514.
      • Enter the destination protocol as UDP.
      • Click OK
      • Click on Send Changes and Activate.
    4. Disable Log Data Tagging
    5. Configure Logdata Streams
      • Navigate to CONFIGURATION > Full Configuration > Box > Infrastructure Services > Syslog Streaming.
      • From the menu, select Logdata Streams.
      • Expand the Configuration Mode menu and select Switch to Advanced View.
      • Click the + icon to add a new entry. 
      • Enter a descriptive name and click OK.
      • Configure Active Stream, Log Destinations and Log Filters settings.
      • Click on Send Changes and Activate.

    Configuring the Syslog Service on Barracuda Web Application Firewall

    The Barracuda web application can be configured by following these steps:

    1. Navigate to ADVANCED > Export LogsAdd Export Log Server
    2. In the Add Export Log Server, enter the following details, and click OK

    Configuring the Syslog Service on Barracuda Email Security Gateway

    The Barracuda email security gateway application can be configured by following these steps:

    1. To configure the email Syslog, using the Barracuda Email Security Gateway Web interface, navigate to the ADVANCED > Advanced Networking 
    2. Enter the IP address of the EventLog Analyzer server to which syslog data related to mail flow should be sent.
    3. Specify the protocol TCP or UDP, and also port (513,514) over which syslog data should be transmitted.

    Configuring the Syslog Service on Huawei Firewall devices

    To configure the Syslog service in your Huawei firewall devices, follow the steps below:

    1. Login to the Huawei firewall device.
    2. Navigate to System view > Log monitoring > Firewall log stream
    3. To export traffic monitoring logs to EventLog Analyzer server, enter the following details in the space provided:
      Info-center loghost <EventLog Analyzer server IP address> 514 facility <facility>
    4. Exit the configuration mode.

    Configuring the Syslog Service on Malwarebytes devices

    To configure the Syslog service in your Malwarebytes devices, follow the steps below:

    1. Log into the Management console of the Malwarebytes device. 
    2. Move to the Admin pane and open the Syslog Settings tab.
    3. Click Change and tick the Enable Syslog check box.
    4. To export traffic monitoring logs to EventLog Analyzer server, enter the following details in the space provided:
      • Address <EventLog Analyzer server IP address>
      • Port <513/514>
      • Protocol
      • Payload format <CEF>
    5. Click OK to save.

    Configuring the Syslog Service on Meraki devices

    To configure the Syslog service in your Meraki devices, follow the steps below:

    1. Login to the Meraki device as an administrator.
    2. From the dashboard, navigate to Network-wide > Configure > General
    3. Click on the Add a syslog server link. In the given fields enter the EventLog Analyzer server IP address and UDP port number.
    4. Define the roles so that data can be sent to the server.
      Note: If the Flows role is enabled on a Meraki security appliance then logging for individual firewall rules can be enabled/disabled. This can be done by navigating to the Security appliance > Configure > Firewall and editing the Logging column.
    5. Click Save.

    Configuring the Syslog Service on FireEye devices

    1. Login to the FireEye device as an administrator.
    2. Navigate to Settings > Notifications, select rsyslog and the Event type.
    3. Click Add Rsyslog Server.
    4. In the dialog box that opens, enter the EventLog Analyzer server IP address in the given field. Choose UDP as the protocol and the format as CEF (default).
    5. Click Save.

    Configuring the Syslog Service on pfSense devices

    1. Login to the pfSense device.
    2. Navigate to Status > System logs > Settings.
    3. Enable Remote Logging.
    4. Specify the IP address and port of the EventLog Analyzer server.
    5. Check all the Remote Syslog Contents.
    6. Click Save.

    Configuring the Syslog Service on Symantec DLP devices

    1. Locate and open the config\Manager.properties file. The file path is as follows
    2. Windows - \SymantecDLP\Protect\config directory
    3. Linux - /opt/SymantecDLP/Protect/config directory
    4. Uncomment the systemevent.syslog.host= line and specify the EventLog Analyzer server IP address as follows:
      systemevent.syslog.host=xxx.xx.xx.xxx
    5. Uncomment the systemevent.syslog.port= line and specify 514 as the port to accept connections from the Symantec Enforce Server as follows:
      systemevent.syslog.port=514
    6. After making the above mentioned changes, save and close the properties file.

    Configuring the Syslog Service on Symantec Endpoint Protection devices

    1. Login to the Symantec Endpoint Protection device as an administrator
    2. Navigate to Admin > Servers. Select the local site or remote site from which log data must be exported.
    3. Click Configure External Logging.
    4. In the General tab, from the Update Frequency list, choose how often log data should be sent to the file.
    5. In the Master Logging Server list, select the management server to which the logs should be sent.
    6. Check the Enable Transmission of Logs to a Syslog Server option.
    7. Enter the following details in the given fields.
      • Syslog Server- Enter the EventLog Analyzer IP address or domain name .
      • Destination Port - Select the protocol to use and enter the destination port that the Syslog server should use to listen for Syslog messages.
      • Log Facility - Enter the number of the log facility that you want the Syslog configuration file to use. Valid values range from 0 to 23. Alternatively, you could use the default.
    8. Click OK.

    Configuring the Syslog Service on H3C devices

    1. Login to the H3C security device as an administrator
    2. Navigate to System view mode.

    3. Enable the Info cente check box.

    4. Configure an output rule for the host:

      info-center source {<module-name>|default} {console|monitor|logbuffer|logfile|loghost} {deny|level <severity>}   

    5. Specify a log host and configure the below parameters:

      info-center loghost {<ELA_SERVER_IP>} [port <port_number>][facility <local-number>]

    6. Now you have successfully configured the H3C security device.

    Configuration steps for Syslog forwarding from F5 devices to EventLog Analyzer

    1. To forward system logs:
      • Login into "Configuration Utility."
      • Navigate to System > Logs > Configuration > Remote Logging.
      • Enter the remote IP. The remote IP in this case would be EventLog Analyzer server's IP address.
      • Enter the remote port number. The default remote port for EventLog Analyzer is 514.
      • Click on "Add".
      • Click on "Update".
    2. To forwarding event logs. (Ex: Firewall Events)
      • Create management port destination
        1. Login to "Configuration Utility".
        2. Navigate to System > Logs > Configuration > Log Destinations.
        3. Click on "Create."
        4. Enter a name for the log destination.
        5. To specify the log type, click on "management port".
        6. Enter the IP address of the EventLog Analyzer server.
        7. Enter the listening port of the EventLog Analyzer server. The default listening port is 514.
        8. For protocol, select the UDP protocol.
        9. Click on "Finish".
      • Create a formatted remote syslog destination.
        1. Now navigate to System > Logs > Configuration > Log Destinations.
        2. Click on "Create".
        3. Enter a name for the log destination.
        4. To specify the log type, select remote syslog.
        5. Under syslog settings, set the syslog format as "syslog" and select the forward to management Port as the syslog destination.
        6. Click on "Finish".
      • Create a log publisher to forward the logs.
        1. Navigate to System > Logs > Configuration > Log Publishers.
        2. Click on "Create".
        3. Enter a name for the log publisher configuration.
        4. In the available list, click the previously configured remote syslog destination name and move it to the selected list.
        5. Click on "Finish".
      • Create a logging profile for virtual servers
        1. Navigate to Security > Event Logs > Logging Profiles.
        2. Click on "Create".
        3. Enter a profile name for the logging profile.
        4. Then enable the network firewall by clicking on the checkbox.
        5. Under the network firewall settings, enter the publisher. Enter the previously configured Syslog publisher.
        6. Under log rule matches, click on "Accept, Drop, and Reject." (Note: If you do not want any logs, you can disable it).
        7. Leave other options in default. (Note: Storage Format should be "none")
        8. Then click on "Create".
      • Apply Logging Profile to corresponding Virtual Server
        1. Now navigate to Local Traffic > Virtual Servers
        2. Select your virtual server to which you want to apply logging profile
        3. On the top, tap on the security tab and click on the policy.
        4. Go to Network Firewall.
        5. Set Enforcement: Enabled, and select your network firewall policy.
        6. Under Log Profile, Enable the log profile and select previously configured logging profile.
        7. Then click on Update.

     

    Get download link