How do I configure Security Manager to process syslog messages from UNIX computers or firewall devic (NETIQKB33631)

goal
How do I configure Security Manager to process syslog messages from UNIX computers or firewall devices?

fact
Security Manager 4.X

fact
Security Manager 5.X

fix

Follow these steps to configure Security Manager to process syslog messages and to forward syslog messages from Unix computer(s) or firewall device(s) to Security Manager agent(s).

To configure Security Manager to process syslog messages, create a syslog provider, a syslog computer group, and syslog event collection processing rule.

NOTE:

• DO NOT USE THIS ARTICLE if you are using the Security Manager modules for Check Point, Cisco Secure PIX, NetScreen, or Secure Computing SideWinder firewalls.  You may find detailed information about all supported firewall modules in the Security Manager Installation Guide .
  
• With Security Manager 4.50 and higher, agents can be installed on UNIX computers with Solaris, Red Hat Linux, AIX, HP-UX Operating systems.  For more information about configuration support for UNIX, see the Security Manager Installation Guide .

To configure Security Manager to process syslog messages:

1. Log on to a 'Development Console' computer using an account that is a member of the 'OnePointOp Operator' group.
   
2. Start the 'Development Console' located in the NetIQ Security Manager program folder.
   
3. Create a syslog provider. For more information about creating a provider for syslog, please refer to the following knowledge base article:
   
    https://www.netiq.com/kb/esupport/consumer/esupport.asp?id=NETIQKB8595. 
   
4. Create a computer group for computers you want to receive syslog messages, by completing the following steps: 
   
   
   1. Select Computer Groups in the left pane.
      
   2. On the Action menu, click New | Computer Group.
      
   3. Follow the instructions until you have finished creating a computer group that includes only those computers that you want to receive syslog messages from UNIX or Firewall.
      
   4. When Security Manager asks if you would like to deploy a group of processing rules to computers matching this newly created computer group, click No.
      
5.  Create a processing rule group and processing rules to process the syslog messages by completing the following steps: 
    
   1. Select Processing Rule Groups in the left pane.
      
   2. On the Action menu, click Create Processing Rule Group.
      
   3. Follow the instructions until you have finished creating a processing rule group.
      
   4. When Security Manager asks if you would like to deploy the processing rules in the newly created processing rule group to a group of computers, click Yes.
      
   5. Click Add.
      
   6. Select the computer group you created in Step 4, and then click OK.
      
   7. Click OK.
      
   8. Select the syslog processing rule group in the left pane.
      
   9. Right-click Event Processing Rules in the left pane and select .
      Collect Specific Events (Collection).
      
   10. Click Next and follow the instructions until you have finished creating a processing rule. 
       

   NOTE: Make sure to select the syslog provider you have created in the Provider Name field.

6. Configure the 'hosts' file on each agent computer that receives syslog messages.  Configuring the hosts file is required if your DNS server does not already map the IP address for the UNIX computer but it is recommended to improve performance. The hosts file is located in the \WINNT\system32\drivers\etc folder.  For more information on the hosts file, see the Windows documentation.

For Security Manager to process syslog messages, you must configure each UNIX computer to forward syslog messages to a computer in the syslog computer group.

NOTE: Refer to the firewall documentation to configure your firewall to forward logs to the Security Manager agent computer.

To configure the UNIX computer to forward syslog messages:

1. Get the IP address of the agent computer to which you will forward syslog messages.  For more information, see the Windows Help for the IPCONFIG command.
   
2. Log on with the root account to the UNIX computer from which you want to forward syslog messages.
   
3. Open the syslog.conf file in a text editor. The default path for the syslog.conf file is /etc/syslog.conf.
   
4. Add a line to the syslog.conf file to forward syslog messages to the IP address of the agent computer.  For more information, see the syslog.conf MAN page. The following example forwards syslog error messages to the 123.123.123.123 IP address:
   
   
   • *.err   @123.123.123.123
     
5. Save and close the syslog.conf file.
   
6. Stop and restart the syslogd daemon. For more information see the syslogd MAN page. 

NOTE : Review the MAN page for your system to verify that this is the proper format for your computer.

To create a view to display the content from the logs:

1. Start the 'Monitor Console'. 
   
2. Right-click MY Views in the left pane and select New | Event View.
   
3. Select Events that Satisfy Specified Criteria, click Next.
   
4. Select the from event providersof specified type.
   
5. Under View Description, click Specified link and select Application Log as type.
   
6. Select the from event providers with specified name.
   
7. Under View Description, click Specified link and enter the name of the Syslog Provider.
   
8. Click Next.
   
9. Name this view, and give a description, click Finish.

You should now see the events that are collected in this view.

.

Formerly known as NETIQKB33631