Configuring an External Syslog Server

Ivanti Policy Secure(IPS) allows you to send the log data to an external syslog server. You should use syslog if your enterprise has any long-term record-keeping or accounting requirements.

To configure reporting to a syslog server:

  1. Select System > Log/Monitoring.
  2. Click the Settings tab.
  3. Specify the maximum log size and select the events to be logged.
  4. Specify the server configuration as described below and click Add. You can specify multiple syslog servers.
  5. Save the configuration.

To enable syslog reporting for each local log category, you must perform this procedure on each local log tab: Events, User Access, Admin Access, and Sensors.

Settings

Guidelines

Server name/IP

Specify the fully qualified domain name or IPv4/IPv6 address for the syslog server.

NOTE: If you select TLS from the Type list, the server name must match the CN in the subjectDN in the certificate obtained from the server.

Facility

Select a syslog server facility level (LOCAL0-LOCAL7).

Your syslog server must accept messages with the following settings: facility = LOG_USER and level = LOG_INFO.

Type

Select the connection type to the syslog server. You can select:

  • UDP (User Datagram Protocol) - A simple non-secure transport model.
  • TCP (Transmission Control Protocol) - A core protocol of the Internet Protocol suite (IP), but lacks strong security.
  • TLS (Transport Layer Security) - Uses cryptographic protocols to provide a secure communication.

Client Certificate

(optional) If you select TLS from the Type menu and your remote syslog server requires client certificates, select the installed client certificate to use to authenticate to the syslog server. Client certificates are defined in the Configuration > Certificates > Client Auth Certificates page. Client certificates must be installed on the device before they can be used.

There is no fallback if a connection type fails.

Filter

Select a filter format. Any custom filter format and the following predefined filter formats are available:

  • Standard (default)—This log filter format logs the date, time, node, source IP address, user, realm, event ID, and message.
  • ·WELF—This customized WebTrends Enhanced Log Format (WELF) filter combines the standard WELF format with information about the system realms, roles, and messages.
  • WELF-SRC-2.0-Access Report—This filter adds access queries to the customized WELF filter. You can use this filter with NetIQ’s SRC to generate reports on user access methods.