Previous Topic: Agent Planning

Next Topic: Agents and the Agent Certificate

About Syslog Event Collection

CA Enterprise Log Manager can receive events directly from syslog sources. Syslog collection differs from the other collection methods because several different log sources can send events to CA Enterprise Log Manager simultaneously. Consider a network router and a VPN concentrator as two possible event sources. Both can send events to CA Enterprise Log Manager directly using syslog, but the log formats and structures are different. A syslog agent can receive both kinds of events at the same time using the supplied syslog listener.

Generally speaking, event collection falls into two categories:

More than one syslog event source can transmit events through a single connector, since the listener receives all of the traffic on a specified port. CA Enterprise Log Manager can listen for syslog events on any port. (If you are running an agent as a non-root user there may be restrictions on the use of ports lower than port 1024.) The standard ports may be receiving an event stream composed of many different types of syslog events. These might include UNIX, Linux, Snort, Solaris, CiscoPIX, Check Point Firewall 1, and others. CA Enterprise Log Manager handles syslog events using listeners which are a specialized type of integration component. You build syslog connectors based on listeners and integrations:

Because a single syslog connector may receive events from many event sources, you should consider whether to route syslog events based on their type or source. The size and complexity of your environment determine how you balance your syslog event reception:

Many syslog types : 1 Connector

If a single connector has to process events from different syslog sources, and event volume is high, the connector has to parse through all of the applied integrations (XMP files) until it finds a match for an event. This can cause slower performance because there is much more processing to do. However, if event volume is not too high, a single connector on the default agent may be enough to collect all of the required events for storage.

1 syslog type : 1 Connector

If you configure a series of single connectors to process events from a single syslog type, you can lighten the processing load by spreading it across several connectors. However, having too many connectors running on a single agent can also degrade performance, as each is a separate instance requiring individual processing.

Some syslog types : 1 Connector

If your environment has a heavier event volume for certain types of syslog events, you may want to configure a connector to collect only that type. You could then configure one or more other connectors to collect more than one syslog event types that have a lighter event volume in your environment. In this way, you can balance the syslog event collection load across a smaller number of connectors ensuring better performance.

You should not necessarily need to create your own syslog listeners, though you can do so if necessary. You could create separate syslog listeners with different default values for ports, trusted hosts, and so forth. This can help to simplify the creation of connectors if you have many connectors to create for each type of syslog event, for example.

More information:

Default User Accounts

Redirect Firewall Ports for syslog Events