How Can I Consolidate A Unix SYSLOG?

Argent for Compliance has a built-in SYSLOG Server

It listens on UDP port 514 by default

The port can be re-configured to any number by adjusting the registry for Argent for Compliance

HKLM\Software\Argent\ARGENT_FOR_COMPLIANCE\SYSLOG_SERVER_PORT

Or

For 64 Bit servers, registry setting can be located here

HKLM\Software\Wow6432Node\Argent\ARGENT_FOR_COMPLIANCE\SYSLOG_SERVER_PORT

When Argent receives a UDP message, it first checks if the message comes from the monitored IP or server/device assigned to it

If the message does come from the monitored IP or server/device, Argent continues to process the message based on the message priority, facility and message text defined in the SYSLOG Rule

If not, Argent discards the message

Here is a real life sample for you

Argent for Compliance is installed on W200x machine (202.123.200.251) and the network device is a SnapGear gateway (192.168.0.1)

  1. Configure SYSLOG To Send Log Message To Transfer Engine




    2. Click For Full Size

  2. Ensure The Network Device is licensed in Argent for Compliance License Manager

    3. The monitored server/device needs to be licensed otherwise the SYSLOG message is discarded




    Click For Full Size

  3. Define The SYSLOG Rule




    4. Click For Full Size

  4. Define The SYSLOG Relator

    5. The SYSLOG Relator associates the SYSLOG Rule, your servers and devices as well as the Argent Alerts to fire

    Note: The Relator needs to be placed into production mode in order for SYSLOG messages to be monitored and/or consolidated in real-time




    Click For Full Size

    Note: The Relator is Event Driven, and will read entries as they come in

    This can be verified by going to “Scheduled Monitoring Task” and there will be “{Event Driven}” under “Next Run Time” column




    Click For Full Size