To configure the event source, follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Allow collecting information from remote devices using the Syslog protocol. |
Under Network ➜ Zones, enable the UserID syslog collectorservice for the zone in which the Syslog servers are located. |
|
Step 2. Configure the UserID agent settings to monitor the Syslog server. |
The UserID agent parameters were discussed earlier. |
|
Step 3. Configure the event source. |
Configure the Syslog server as the source. See below for more information on the source settings. |
When adding a source of Syslog type, you need to specify the following:
|
Name |
Description |
|---|---|
|
Enabled |
Enable/disable receiving logs from the source. |
|
Name |
The source name. |
|
Description |
The source description. |
|
Server address |
The host address from which NGFW will receive syslog events. |
|
Default domain |
The name of the domain used to search for users found in syslog logs. |
|
Timezone |
The time zone set on the source. |
|
Auth profile |
The authentication profile used to look up users found in Syslog logs. |
|
Filters |
Filters to find the necessary log entries. You can create and configure filters under Libraries ➜ UserID agent Syslog filters of the agent. For more details, see UserID agent Syslog filters. |
The found events are displayed on the Logs and reports tab, under Logs ➜ User-ID agent ➜ Syslog.