How does the Syslog Director 4.3 work?
|Article:TECH90211|||||Created: 2008-01-10|||||Updated: 2011-10-26|||||Article URL http://www.symantec.com/docs/TECH90211|
This article outlines the functionality of Syslog Director 4.3
Syslog Director version 4.3 ONLY
This document applies to Syslog Director version 4.3 only. If you are running SSIM 4.6 you already have Syslog Director 4.3. If you are running SSIM 4.5x you need to determine the version of Syslog Director that you are using.
- Log in to the SSIM Console
- Click System
- Click Product Configurations - drill down until you see the Agents and Collectors listed. You should see the Syslog Director listed, followed by its version number.
If you need to update your Syslog Director please follow the instructions in this document.
What does the Syslog Director do?
The Syslog Director receives traffic from multiple external log sources, parses the traffic and forwards it to an on-box syslog collector. Here is an example of typical Syslog Director configuration:
Setting up and testing the Syslog Director v4.3
If you have not already done so, you must create a new configuration for the Syslog Director.
- Right Click the Syslog Director 4.3 in the Product Configuration tab of the SSIM console
- Click New - the Create a new Configuration Wizard will appear
- Click Next - Give the configuration a Name, then click Next
- Click Add - the Find Computers window will appear
- Select the SSIM appliance then click Add, to ensure the configuration is distributed to the appliance
- Click Next, then Finish
If you already have a new Configuration, verify that the Appliance has been added to the Configuration
After you have created a new Configuration for the Syslog Director, you must add the appliance to that configuration. This is normally done when you create the new configuration. To verify that your Configuration is applied correctly follow these steps:
- Right Click the new Configuration
- Click Properties - the Configuration Properties window will appear
- Click the Computers tab
- If the appliance is not already listed Click Add - the Find Computers window will appear
- Click the Appliance then click Add and OK.
Always Distribute New or Changed configurations
After creating or changing/saving a Sensor configuration, you must Distribute that configuration for those changes to take effect.
- Right Click the Sensor Configuration
- Click Distribute
- Click Yes to confirm
Syslog Director Port and Redirection:
The traffic intended for the Syslog Director is normally sent to the appliance on port 514. If Syslog Director is active on the appliance, all traffic to port 514 on the specified protocol will be intercepted by Syslog Director and redirected to the internal Syslog Director port. The Syslog Director could theoretically receive traffic directly to its internal port but this is not the supported configuration. No other collectors on the appliance can expect to receive traffic on the same port/protocol as the Syslog Director . The default port for the internal Syslog Director redirect is 10514. This is specified in the Syslog Director configuration settings.
You may deploy multiple collector sensors on the same port, as long as they restrict the hosts that the collectors are listening for.
After being received by the Syslog Director each event is analyzed using the Collector Signatures defined in the Syslog Director Advanced Options. If the data in the event matches a Signature for a specified collector, the event is determined to be intended for that collector and will be forwarded to the appropriate port. If an event matches multiple signatures, it will normally be applied to the first collector that matches, starting at the top of the list and working down.
In this example the Syslog Director will determine that an event belongs to the "UNIX OS Event Collector" if the event contains "sshd" or "su" or "LOGIN" and so on. If it matches, the event will be forwarded to port 10525.
Depending on how the collector is installed to the appliance it may be necessary to add a signature manually for a new collector. To add a signature:
- Click Add
- Choose the collector from the list
- Enter the signature - See the product documentation for information about signatures
- Position the new signature somewhere in the list of signatures above the Generic Syslog Event collector signature.
Note that the Signature for the Generic Collector is typically empty and should appear at the bottom of the list. Any event that makes it through the entire list of signatures without finding a match should therefore land in the Generic Syslog Collector.
You may also find you need to adjust an existing signature. To change an existing signature:
Double Click the signature you want to edit
Note - if the signature field is suddenly blank after you double click on it, hit the Escape (esc) key, then try again.
- Change the signature to meet your needs.
- Click Save.
- In SSIM 4.5 you will need to Distribute the settings.
If an event matches one of the signatures, the Syslog Director will forward the event to the port specified by the Redirect list.
The Redirect List is the table of Redirection settings that appears on the Director Settings tab. In this example the Redirect list has 2 items, Unix collector using port 10525, and the Generic Syslog event Collector on port 10518. Be sure that the checkbox in the Redirect column is checked.
The collector configuration should match the port setting specified in the Syslog Director; each individual collector must be listening on the same port that the Syslog Director is redirecting the traffic to according to the Redirect list. In this example the Unix collector must be listening on 10525 as we see below.
If you have modified the port settings for any of your collectors, you must make a corresponding change to the Syslog Director Redirection and then Distribute the changes.
Which Collectors appear in the Redirect and Signatures lists?
In the previous example you can see the UNIX OS Event Collector and the Generic Syslog Event Collector are listed in the Director Settings tab. Several other collectors are available to add signatures.
To be able to add a signature for a collector:
- The collector must be installed on the appliance
- The collector must be a syslog sensor
- There isn't already a signature
In addition to the above criteria, to be listed in the Redirect list a valid sensor configuration for that collector must be distributed to the appliance.
Once the configuration is distributed to the appliance, click Refresh to get it to appear in the Redirect list.
Regarding the On-Box Unix collector
One important point about the onbox Unix collector: this collector is designed to process signatures from several *ix distributions. It is NOT recommended that additional collectors, such as the Linux syslog collector, be added onboard, as these events should be processed by the Unix collector which is already present.
Generic Syslog Collector
In every case where the Syslog Director is implemented, a Generic Syslog Collector should also be configured and active on the appliance. Without a Generic collector it is very difficult to troubleshoot any issues with the Syslog Director.
Each event is checked against every signature in the list. The Generic Syslog collector should be present at the end of the signatures list, with no signature at all, meaning if the event does not match any of the existing signatures the traffic will be sent to the Generic Syslog Event Collector. It is helpful to determine the nature of a problem if we know that the event does or does not arrive to the Generic Syslog Collector. For assistance setting up a Generic Syslog Collector read this document.
See this document for more information on troubleshooting the Syslog director
Article URL http://www.symantec.com/docs/TECH90211