Configure a Destination to Receive Global Audit Logs

In Global Audit Logging, Syslog Notification Servers are the configurations that define the destinations to receive global audit logs. You need to configure a Syslog Notification Server to use Global Audit Logging. You can define a third-party syslog server or a Log Decoder as the destination to receive the audit logs.

Configure a Syslog Notification Server for a Third-Party Syslog Server

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. In the options panel, select Global Notifications.
  3. Click the Servers tab.

    Note: You do not need to configure the Output tab for Global Audit Logging.

  4. From the netwitness_ic-adddrop.png drop-down menu, select Syslog.

    The Define Syslog Notification Server dialog is displayed.

    netwitness_sysns_tp_519x436.png

  5. Configure the Syslog notification server as described in the following table.

    Field Description
    Enable Select to enable the notification server.
    Name A name to identify or label the third-party syslog server.
    Description (Optional) A brief description of the notification server.
    Server IP or Hostname The third-party syslog server hostname or IP address.
    Server Port The port number where the target syslog process is listening.
    Protocol The protocol to be used for transferring formatted audit logs to the third-party syslog server.
    Facility The syslog facility to be used for writing formatted audit logs to the third-party syslog server.

    The Max Alerts Per Minute and Max Alert Wait Queue Size fields are not used for Global Audit Logging.

  6. Click Save.

Configure a Syslog Notification Server for a Log Decoder

  1. Go to netwitness_adminicon_25x22.png (Admin) > System.
  2. In the options panel, select Global Notifications.
  3. Click the Servers tab.

    Note: You do not need to configure the Output tab for Global Audit Logging.

  4. From the netwitness_ic-adddrop.png drop-down menu, select Syslog.

    The Define Syslog Notification Server dialog is displayed.

    netwitness_sysns_ld_536x450.png

  5. Configure the Syslog notification server as described in the following table.

    Field Description
    Enable Select to enable the notification server.
    Name A name to identify or label the Log Decoder syslog notification server.
    Description (Optional) A brief description of the notification server.
    Server IP or Hostname The Log Decoder hostname or IP address.
    Server Port The port number where the target syslog process is listening.
    Protocol The protocol to be used for transferring formatted audit logs to the Log Decoder.
    Facility The Syslog facility to be used for writing formatted audit logs to the Log Decoder.

    The Max Alerts Per Minute and Max Alert Wait Queue Size fields are not used for Global Audit Logging.

  6. Click Save.

Next Steps

Select a default Audit Logging template to use for Global Audit Logging. If necessary, you can define your own custom template. Define a Template for Global Audit Logging provides additional information.