Highlighted
Absent Member.
Absent Member.
300 views

Reading syslog file on windows

Hi,

I need to install several syslog Smartconnector. Because i cannot run all of them on 514 UDP i have syslog-ng running and writing the events to several files.
Is there any way on Windows to make syslog file running?

Or similar ways to do it?

I have tested to make syslog-ng redirect the traffic to several other ports where the smartconnectors listen, but on windows i cannot configure it to work whit spoof-source option.

Best Regards

Labels (1)
0 Likes
Reply
6 Replies
Highlighted
New Member.

Re: Reading syslog file on windows

You can.

But it is unsupported.

The installer by-default does not display this option, because the syslog file reader is officially only supported on unix like platforms.

This does not mean it won't work. It is just so rarely used, that we don't QA it, hence we can't support it.

There is an option to configure it anyay.

But before you move that path, let's explore other options.

What is the reason to run multiple syslog connectors on a single platform? Can't this be solved with a single connector?

thanks, Till

0 Likes
Reply
Highlighted
Contributor.
Contributor.

Re: Reading syslog file on windows

Hi,

We have a SmartConnector for every type of device (one for Operating systmes, other for peakflow, other for FWSM, and so on)

This is only for the architecture decided. But as you see all of these examples work  on syslog. If we can receive all the events in a syslog-ng and the depending on the source write to a file for each device type.  Then we can install several Syslog file SmartConector each one reading its own file.

Regards

0 Likes
Reply
Highlighted
New Member.

Re: Reading syslog file on windows

Carlos,

I still see no reason why you would need to do that.

It does only increase the maintenance effort.

Is there any specific reason for that architecture?

thanks, Till

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Reading syslog file on windows

Hi,

the reason is operational.

With this architecture the security group have developed rules, reports, etc, so we need to maintain this architecture.

That's why we need to install a syslog-ng receiving events from several devices and then depending on the source we write these events to several files. Then we will hav several Smartconnectors reading form each type of file and sending events to Manager (ESM).

Regards

0 Likes
Reply
Highlighted
New Member.

Re: Reading syslog file on windows

Rules in ESM?

Based on the connector source?

Hmm, very unusual approach.

You would normally use the device name ir IP if you really want to tie the Rule to a certain device. And even if you process everything in a single connector, the device address will be correct.

Honestly  - if this is just a bunch of Rules, I would rather change the rules than maintaining that architecture. It will be a lot easier.

-Till

0 Likes
Reply
Highlighted
Absent Member.
Absent Member.

Re: Reading syslog file on windows install at the source

For me the only real answer is to install smart connectors at the source Location (on your Syslog forwarding Devices)  and leave windows out of it.

If  your Security team is willing to foot the bill for the extra licenses associated with splitting a single connector,  then it makes more sense to place the connector at the system level not at a connector appliance level. This also gives you the ability to assure that the event reaches the manager.

the other question becomes, if they wrote the rules and reports to work this way, where are the smart connectors installed now? 

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.