Overview Guide › Quick Start Deployment › Edit the Syslog Connector
Edit the Syslog Connector
Each CA Enterprise Log Manager has a default agent. When a CA Enterprise Log Manager is installed, its default agent has a partially configured connector called Syslog_Connector, which is based on the listener, Syslog. This listener receives raw syslog events on the default ports as soon as you configure the event sources to send syslogs to CA Enterprise Log Manager. However, for CA Enterprise Log Manager to refine these raw events, you must edit this Syslog_Connector. Certain edits are mandatory; others are optional.
- You must identify the syslog targets when you edit this connector. You select as syslog targets each integration that corresponds to one or more event sources you have configured or plan to configure. Your identification of syslog targets enables CA Enterprise Log Manager to properly refine the events.
- Optionally, you can apply suppression rules, limit the acceptance of syslogs to trusted hosts, specify ports to listen on other than 514, the well-known syslog UDP port, and 1468, the default TCP port, and/or add a new time zone for a trusted host.
To edit the syslog connector for a default agent
- Click the Administration tab.
The Log Collection subtab is displayed.
- Expand Agent Explorer and then expand the Default Agent Group or the user-defined group with the CA Enterprise Log Manager to be configured.
- Select the name of a CA Enterprise Log Manager server.
The connector named Syslog_Connector is displayed.
- Click Edit.
The Edit Connector wizard appears with the Connector Details step selected.
- (Optional) Click Apply Suppression Rules. If there is any syslog event type that you want suppressed, that is, not collected, move that event type from the available list to the selected listed. Select the event to move and click the move button.
- Click the Connector Configuration step.
All available integrations are selected by default.
- Select syslog targets by moving the syslog integrations to target from the available list to the selected list.
For example, if you have configured the AIX operating system on a host in your network, you would move the syslog target, AIX_Syslog, from the available list to the selected list.
- (Optional) Identify the trusted hosts from which the syslog connector is to accept incoming events. Enter the IP address in the entry field and click Add. Repeat for each trusted host. Then, when an event is received from a host not configured as trusted, that event is rejected.
Note: It is a good practice to configure trusted hosts. Typically, you configure all the hosts on which you have configured event sources to send syslogs to CA Enterprise Log Manager. Specifying trusted hosts ensures the default agent does not accept events from rogue systems that an attacker has configured to send events to the syslog listener.
- (Optional) Add ports.
You can typically accept the default UPD and TCP ports for the default agent.
Note: You can gain performance improvements by defining a syslog connector for different event types and specifying different ports for each. Be sure to select unused ports when making new port assignments.
- (Optional) Add a time zone only if collecting syslogs from machines in a different time zone from the soft appliance.
- Click Create Folder and expand the folder.
- Highlight the blank entry under the folder. Enter the IP address of either a trusted host you configured for this connector or the NTP time server you specified at installation of the CA Enterprise Log Manager.
- Click Save and Close.
- View the status.
- Click Status and Command
View Status of Agents is selected. The host name of the server you installed appears in the Agent column, since the default agent is on this server. The status is shown as running.
- Click the Running link to view details.
- Click the Connectors button to view the status of connectors.
- Click the Running link.
The percentage CPU, memory usage, average events per second (EPS), and filtered event count appear.
More information:
Configuring the Default Agent