Adapt the rsyslog system file for the data transfer
Adapt the rsyslog system file on Web Gateway to ensure that syslog data is successfully sent to Trellix ESM.
Task
- Select Configuration | File Editor.
- On the files tree, select rsyslog.conf.
The file content appears on the configuration pane. - Edit the file to adapt it for the data transfer.
The edited file should look as shown in the following. The modified lines are in the paragraph that begins with: The below will direct all daemon.info messages to the remote syslog server ...
NOTE: The information that you provide here includes the IP address of the Skyhigh Security SIEM Receiver.
# default parameters $DirCreateMode 0755 $FileCreateMode 0640 $FileGroup adm $umask 0026 # Include config files in /etc/rsyslog.d $IncludeConfig /etc/rsyslog.d/*.conf # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! # The following directs all daemon.info messages to the # remote syslog server at [IP_OF_MCAFEE_EVENT_RECEIVER] # add @@ for TCP syslog for example #daemon.info @192.168.1.1 *.info;daemon.!=info;mail.none;authpriv.none;cron.none -/var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
- Click Save Changes.