Configure remote syslog objects
Configure remote syslog objects to enable the system to record system events in a remote log file.
If the connection to the remote syslog server drops, the virtual appliance generates a system audit event. If we are using TCP protocol, the virtual appliance writes the events to an auxiliary storage file. When the connection is restored, events that are stored in this file are sent to the remote syslog server. If the connection is not restored before the storage file size exceeds, any additional events are dropped. The virtual appliance generates another system audit event when the connection is reestablished.
- From the top-level menu of the Appliance Dashboard, click Manage > System Settings > System Audit Events.
- In the System Audit Events page, do one of the following steps.
- Click Remote Syslog to display the Add Remote Syslog Object window.
- Select an existing remote syslog object and then click Edit to display the Edit Remote Syslog Object window.
- Configure the following options.
Option Description Name Specifies a meaningful name for the response. Remote Syslog Collector Fully qualified domain name or IP address of the host on which to save the log. The host must be accessible to the virtual appliance. Remote Syslog Collector Port Custom port used to connect to the syslog collector. The default is 514. QRadar Format Enabled Select this check box to enable the virtual appliance to send events in QRadar LEEF format instead of RFC5424 remote syslog format. Comment Enter a comment to identify the remote syslog object. - Click Save Configuration.
After we configure a remote syslog object, add the object to the Added Objects pane on the System Audit Events page. Add it so that the virtual appliance initiates the response when specified events occur.
Parent topic: Configure system audit events