Configure Syslog Event Sources

This topic tells you how to configure Syslog event sources for the Log Collector.

Note: Prior to NetWitness 11.3, you did not configure Syslog Collection for Local Log Collectors: syslog collection was only configurable for Remote Collectors. You can configure Syslog for local Log Collectors that are on version 11.3 or later.

Configure a Syslog Event Source

For Remote or Virtual Log Collectors, syslog listeners for UDP on port 514, TCP on port 514 and SSL on port 6514 are created by default. You should not change the SSL settings on the TCP and SSL listeners. If you need SSL certificate verification, create a new event source type to listen on a different port.

Note: For local Log Collectors, you cannot create syslog listeners on ports 514 and 6514: these ports are used by the Log Decoder service.

To configure the Log Collector for Syslog collection:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services grid, select a Log Collector, and from the Actions menu, choose netwitness_ic-actns.png > View > Config.
  3. Select the Event Sources tab.

  4. Select Syslog/Config from the drop-down menu.

    The Event Categories panel displays the Syslog event sources that are configured, if any.

    Note: For NetWitness, some Syslog event sources are available by default. In this case, you can proceed to step 6.

  5. In the Event Categories panel toolbar, click netwitness_ic-add.png.

    The Available Event Source Types dialog is displayed.

  6. Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization.

  7. Select the new type in the Event Categories panel and click netwitness_ic-add.png in the Sources panel toolbar.

    The Add Source dialog is displayed.

  8. Enter the port number, and select Enabled. Optionally, configure any of the Advanced parameters as necessary.

    Click OK to accept your changes and close the dialog box.

Once you configure one or both syslog types, the Log Decoder or Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in NetWitness.

Character Encodings

For each protocol (TCP, UDP), you need to instantiate a separate syslog listener for each character encoding.

For example, assume that you have legacy event sources sending syslog in UDP and TCP with EUC-KR and EUC-JP encodings. You would need to configure four listeners for the Log Collector, and configure the syslog event sources to send to separate ports as follows:

  • UDP <port1> for EUC-KR
  • UDP <port2> for EUC-JP
  • TCP <port3> for EUC-KR
  • TCP <port4> for EUC-JP

Alternatively, you could use separate Remote/Virtual Log Collectors, each using the default port 514.

Syslog Parameters

The following tables describe the available basic and advanced parameters for Syslog configuration.

Note: Required parameters are marked with an asterisk. All other parameters are optional.

Basic Parameters

Name Description

Port*

Enter the port number that you configured for your event sources.

Enabled

Select the check box to enable the event source configuration to start collection. The check box is selected by default.
SSL Receiver

Note: This parameter applies to NetWitness version 11.1 and newer. It is available only for the syslog-tcp Event Category.

If you select the check box, the event source accepts SSL/TLS connections only. Also, if you change this setting, you must stop and restart Syslog collection for the change to become effective.

Encoding

Character encoding used by the syslog senders to this port. Defaults to UTF-8.

Note: It is safe to leave this as UTF-8, since UTF-8 handles ASCII characters as well, and most senders have their encoding set to UTF-8.

NetWitness has tested the following values:

  • EUC-KR
  • SJIS
  • GB3212/GBK
  • ISO_8859-1 (German)
  • ISO_8859-7 (Greek)

Advanced Parameters

Name Description

Inflight Publish Log Threshold

Establishes a threshold that, when reached, NetWitness generates a log message to help you resolve event flow issues. The Threshold is the size of the syslog event messages currently flowing from the event source to NetWitness.

Valid values are:

  • 0 (default) - disables the log message
  • 100-100000000 - generates log message when the syslog event messages currently flowing from the event source to NetWitness are within the 100 to 100000000 byte range.

Maximum Receivers

Maximum number of receiver resources used to process collected syslog events. The default value is 2.

Event Filter

Select a filter.

Refer to Configure Event Filters for a Collector for instructions on how to define filters.

Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source.

Valid values are:

  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.

This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact.
If you change this value, the change takes effect immediately (no restart required).

SSL Verify Mode

Note: This parameter applies to NetWitness version 11.1 and newer. It is available only for the syslog-tcp Event Category.

This setting is relevant only if the SSL Receiver setting is selected. If you change the SSL Verify Mode, you must stop and restart Syslog collection for the change to become effective.

Available options:

  • verify-none: (default) The server does not verify the client's certificate, if any. A client can connect without presenting a certificate.

  • verify-peer: The server verifies the client's certificate, if any. A client can connect without presenting a certificate.

    Note: If verification fails, a warning is logged but the messages will still be accepted.

  • verify-peer-fail-if-no-cert: The client must present a certificate and the server will verify it.

    Note: If you use this mode, the client's CA certificate must be uploaded to the Log Collector's truststore using the REST API at http://LC-ip-address:50101/sys/caupload

Certificate Directory Path

You can configure custom certificates for the syslog listener on Log Collectors. For details, see (Optional) Configure Custom Certificates on Log Collectors.