It is the responsibility of the Appliance Administrator to configure SPP to log event messages to a syslog server. The steps below cover configuration.
Other considerations:
- For event messages to be logged, you must configure SPP to send alerts. For more information, see Configuring alerts.
- The syslog client certificate will be used. For more information, see Syslog Client Certificate.
- Go to Syslog:
- web client: Navigate to External Integration > Syslog.
- Click Add to display the Syslog Serverdialog.
-
In the Syslog Server dialog, enter the following:
-
Name: Enter a descriptive name for the syslog server.
- Network Address: Enter the IP address or FQDN of the syslog server. Limit: 255 characters
-
Port: Enter the port number for the syslog server. Default: 514 and range: between 1 and 32767
-
Protocol: Select the network protocol and syslog header type:
-
UDP (RFC 3164): Sends messages over UDP using the syslog header format specified in RFC 3164.
- UDP (RFC 5424): Sends messages over UDP using the syslog header format specified in RFC 5424.
- TCP (RCF 5424): Sends messages over TCP using the syslog header format specified in RFC 5424. TCP is required for TLS options.
-
- If you selected a Protocol of TCP (RCF 5424), additional selections can be made to set the TCP framing and configure SPP to use Transport Layer Security (TLS). This provides encrypted communication with the syslog server instead of plain text over TCP.
-
Select the TCP Framing. By default, Octet Counting will be selected. Possible options are:
-
Octet Counting: The default and recommended framing. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.1. With octet counting, there is no chance of a message containing a character that may otherwise be intended to be used as a delimiter.
-
LF: Use a line feed character (LF 0x0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
CR: Use a carriage return character (CR 0x0D) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
CRLF: Use both carriage return and line feed characters (CRLF 0x0D0A) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
NUL: Use a NUL character (0x00) as the delimiter between syslog messages. For more information, see https://datatracker.ietf.org/doc/html/rfc6587#section-3.4.2. Note that the RFC describes problems with using this framing and is therefore not recommended. However, some syslog servers do not support octet counting and must use one of these non-transparent framing options. Safeguard for Privileged Passwords makes no attempt to escape out this character if it appears in a message itself. If that happens, you will receive a fragmented and potentially malformed message/data.
-
-
Select Use TLS Encrypton.
- Verify Syslog Server Certificate: If selected, the syslog server certificate messages will only be sent if SPP is able to verify the authenticity of the syslog server TLS certificate. If SPP cannot resolve the syslog server TLS certificate to a trusted root, the message will not be sent.
- Use Client Certificate: Select this option if the syslog server requires clients to authenticate. You should also set the syslog client certificate appropriately. For more information, see Creating a syslog client Certificate Signing Request.
-
-
- Click OK to save your selection and add the syslog server configuration.
- You can verify the syslog server. See the next section.
To verify a syslog server
-
Navigate to External Integration > Syslog Event.
-
Click Send Test Event. For more information, see Syslog Events.