How to send incident notifcations from the Symantec Security Information Manager (SSIM) to another syslog server

Article:TECH152638  |  Created: 2011-02-03  |  Updated: 2013-02-08  |  Article URL http://www.symantec.com/docs/TECH152638
Article Type
Technical Solution

Product(s)

Issue



How to configure the Symantec Security Information Manager to send it's notifications via syslog to another syslog server or SSIM Collector.


Solution



This can be configured in the Rule, on the Actions tab by setting the notifcation recipient to Syslog.

Then setup the syslog daemon to send those items to another syslog server.

Set the Rule to send notifications via syslog

  1. In the SSIM client, go to the Rules tile.
  2. Navigate to and select the rule, then on the right click on the Actions tab.
  3. At the bottom, in the set the Notification section, check the Enabled checkbox.
  4. Click the Recipients button and select Syslog.

Setup the Syslog Daemon to send the notification events to the syslog server

  1. Connect to the SSIM via an SSH client or through a Console interface.
  2. Change to the root account and obtain roots permissions with the command su -
  3. Run the command vi /etc/syslog.conf
  4. Press I to enter Insert mode.
  5. Add to the bottom of syslog.conf the following, making sure to enter the syslog servers IP Address after the @ symbol.

    # Sending Incident Notification syslog events to another syslog server 
    local0.* @<IPAddress of Syslog Server>
  6. Press Esc, then type :wq to save changes and exit vi.
  7. Restart the Syslog Daemon with the command service syslog restart

The nofication will appear in /var/log/messsages as shown below, and will be sent to the syslog server specified in the syslog.conf file.

Feb  3 14:09:23 myssimsname Incident Service[4641]: Created incident RULE: "The rule name is shown here" REF: 0000002139
 




Article URL http://www.symantec.com/docs/TECH152638


Terms of use for this information are found in Legal Notices