9.1. Syslog

This section is used to configure the rules for collecting Unix system log (syslog) events that contain information on the system's operation, status, and security as well as any errors or malfunctions. Syslog rules allow you to filter event records (by time, event severity, object, device name, and application), which eases the search for information of interest.

To use the log collector, you need to configure the server from which information will be collected and the syslog rules.

To configure the server, go to the Log collector --> Syslog section in the General settings tab of UserGate Log Analyzer's web interface and provide the following settings:

Name

Description

Enabled

Enable or disable receiving syslog events.

Protocol

The network protocol used for information collection:

  • TCP.

  • UDP.

Port

The port number used to collect syslog events. The default port is 514.

Max session number

The maximum allowed number of concurrent devices connected for message sending.

Secure connection

Enable or disable data flow encryption.

For more details on using TLS with Syslog, refer to the relevant documentation.

CA certificate file

The Certification Authority (CA) certificate used to establish a secure connection.

Certificate file

A certificate generated by the user and signed by the Certification Authority (CA). Specify this when configuring a secure connection.

Permitted peers

The list of devices from which UserGate LogAn will receive information using a secure connection.

To configure syslog event record filtering rules, provide the following settings:

Name

Description

Enabled

Enable or disable the syslog rule.

Name

The name of the syslog rule.

Description

An optional description of the syslog rule.

Action

The rule's action:

  • Allow: allow incoming messages that match the rule conditions.

  • Block: block incoming messages that match the rule conditions.

Timezone

The timezone configured on the remote devices. Incoming messages will be allowed or blocked from the devices that store records in the specified timezone.

Place to

The place in the rule list where this rule will be inserted: at the top, at the bottom, or above the selected existing rule.

Severity

The syslog severity of the event:

  • Emergency: a critical state that affects system health.

  • Alert: a state that requires immediate intervention.

  • Critical: a state that requires immediate intervention or signals a fault in the system.

  • Error: messages about system faults.

  • Warnings: warnings on potential errors that can occur if no action is taken.

  • Notice: events that are related to unusual system behavior but are not errors.

  • Info: informational alerts.

  • Debug: information useful to developers for debugging applications.

Object

The event's category:

  • Kernel messages.

  • User-level messages.

  • Mail system.

  • System daemon.

  • Security/authorization.

  • Syslog messages.

  • Line printer subsystem.

  • Network news subsystem.

  • UUCP subsystem.

  • Clock daemon.

  • Security/authentication.

  • FTP Daemon.

  • NTP subsystem.

  • Log audit.

  • Log alert.

  • Clock daemon 2.

  • Local 0-Local 7.

Hostname

The name of the device.

App-Name

The name of the application for which the collection of information should be allowed or blocked.

For more details, see the section Syslog Applications.

The event will be recorded in Syslog. For more details, see the section System Log.