{tbl.open,width:100%,align:center,heading:Syslog Help} Basic Syslog Setup Help

Using Syslog Source File

  • Define / Add new syslog file sources.
  • Enable the Syslog Processor Module.
  • Activate detected syslog sensors.
  • Edit sensor pre and post filters to correctly normalize data specific for the sensor.

    Using Syslog Daemon Script

  • Start the /apps/idsSyslog.pl background script to begin receiving syslog data.
  • Enable the Syslog Processor Module.
  • Activate detected syslog sensors.
  • Edit sensor pre and post filters to correctly normalize data specific for the sensor.

  • Commercial Support Assistance is available to help install, configure and manage the Syslog Processor. Contact Aanval or visit your myAanval Portal account for details. {tbl.close} {tbl.open,width:100%,align:center,heading:Frequently Asked Questions} What is the Syslog Module?
    The Syslog Module is a powerful feature built into the console which allows for the importing and normalizing of any syslog data in both streaming and stored (file) format.

    What kind of syslog data can be received?
    The Syslog Module can receive any data sent via the syslog protocol (UDP Port 514). * Note, this port can be changed if needed (edit idsSyslog.pl). The Module can also process local files such as server logs, snort logs, mail logs, etc.

    What is a filter (regular expression) used for?
    The syslog module uses regular expression filters because of their dynamic and powerful capabilities to parse just about any type of data for specific or dynamic content. The console is capable of using filters to populate the fields of the console storage system for searching, browsing and reporting.

    How does the console receive syslog data?
    The Syslog Module processes syslog data via the perl script idsSyslog.pl which resides in your console installations /apps/ directory. This script is executed and listens by default on UDP port 514 for incoming syslog data. The Module also processes source files which can be configured from within your syslog module manager.

    How do I execute the idsSyslog.pl script correctly?
    From within your consoles /apps/ directory issue the following command to launch the idsSyslog.pl script in the background: (ensure there is no other syslog server listening before launching - on some OS's you may need to disable the built in syslog server first)

    nohup perl ./idsSyslog.pl > /dev/null &

    How do I test if the syslog daemon script is receiving syslog data?
    To test whether or not the syslog processing script is receiving data correctly, please stop any idsSyslog.pl scripts which may be running and execute the following command from your consoles /apps/ directory:

    perl ./idsSyslog.pl

    This will execute the script in the foreground and display any and all incoming syslog data which is being received. If you are unable to see any incoming data, chances are there is a firewall blocking the incoming data, there is another syslog server running or your devices are not properly sending syslog data. {tbl.close}