Previous Topic: Configure Syslog Event SourcesNext Topic: View Syslog Events

Overview GuideQuick Start DeploymentEdit the Syslog Connector

Edit the Syslog Connector

Each CA User Activity Reporting Module has a default agent. When a CA User Activity Reporting Module is installed, its default agent has a partially configured connector called Syslog_Connector, which is based on the listener, Syslog. This listener receives raw syslog events on the default ports as soon as you configure the event sources to send syslogs to CA User Activity Reporting Module. However, for CA User Activity Reporting Module to refine these raw events, you must edit this Syslog_Connector. Certain edits are mandatory; others are optional.

To edit the syslog connector for a default agent

  1. Click the Administration tab.

    The Log Collection subtab is displayed.

  2. Expand Agent Explorer and then expand the Default Agent Group or the user-defined group with the CA User Activity Reporting Module to be configured.
  3. Select the name of a CA User Activity Reporting Module server.

    The connector named Syslog_Connector is displayed.

    Connector Display screen, showing Syslog_Connector.

  4. Click Edit.

    The Edit Connector wizard appears with the Connector Details step selected.

  5. (Optional) Click Apply Suppression Rules. If there is any syslog event type that you want suppressed, that is, not collected, move that event type from the available list to the selected listed. Select the event to move and click the move button.
  6. Click the Connector Configuration step.

    All available integrations are selected by default.

  7. Select syslog targets by moving the syslog integrations to target from the available list to the selected list.

    For example, if you have configured the AIX operating system on a host in your network, you would move the syslog target, AIX_Syslog, from the available list to the selected list.

    Move targets from the available list to the selected list.

  8. (Optional) Identify the trusted hosts from which the syslog connector is to accept incoming events. Enter the IP address in the entry field and click Add. Repeat for each trusted host. Then, when an event is received from a host not configured as trusted, that event is rejected.

    Note: It is a good practice to configure trusted hosts. Typically, you configure all the hosts on which you have configured event sources to send syslogs to CA User Activity Reporting Module. Specifying trusted hosts ensures the default agent does not accept events from rogue systems that an attacker has configured to send events to the syslog listener.

  9. (Optional) Add ports.

    You can typically accept the default UPD and TCP ports for the default agent.

    Note: You can gain performance improvements by defining a syslog connector for different event types and specifying different ports for each. Be sure to select unused ports when making new port assignments.

  10. (Optional) Add a time zone only if collecting syslogs from machines in a different time zone from the soft appliance.
    1. Click Create Folder and expand the folder.
    2. Highlight the blank entry under the folder. Enter the IP address of either a trusted host you configured for this connector or the NTP time server you specified at installation of the CA User Activity Reporting Module.

    Enter the timezone of the local server or a time server.

  11. Click Save and Close.
  12. View the status.
    1. Click Status and Command

    Click the status and command button on the toolbar.

    View Status of Agents is selected. The host name of the server you installed appears in the Agent column, since the default agent is on this server. The status is shown as running.

    1. Click the Running link to view details.
    2. Click the Connectors button to view the status of connectors.

      The status of the syslog connector on the default agents is shown as running.

    3. Click the Running link.

      The percentage CPU, memory usage, average events per second (EPS), and filtered event count appear.

More information:

Configuring the Default Agent