Configure Syslog Monitoring

The ActivID Appliance Syslog function can be configured to send audit events and system notifications to an external Syslog server:

  • Audit events – events to log can be filtered using a regular expression on audit EventID (for example, ^.*Authenticate.*$ can be used to send the authentication audit events).
  • System events – same events as sent as SNMP notifications.

Each type of event is managed separately so only one type can be sent to the Syslog server (for example, system events (Enabled) but not the audit events (Disabled)).

Note:  
  • The appliance uses Syslog user-level messages (Syslog facility user). You must make sure the Syslog messages traffic is correctly secured.
  • You can only define one Syslog server for the appliance. If required, you must configure a relay Syslog server if you need to send log events to multiple Syslog servers.
  • The Syslog function is disabled by default.
  • The appliance does not check if the CA root certificate of your Syslog server (required for TLS/mTLS connections) has been imported into the appliance truststore.
  • Enabling Syslog might generate significant logging data (especially with audit events) and could impact the performance of the appliance.
Prerequisites: If you want to use the TLS or mTLS protocol to connect to your Syslog server, import the CA root certificate of your Syslog server as a trusted certificate.
  1. Log on to the ActivID Console and, under Monitoring in the left menu, select Syslog.

  2. In the Server section, configure the connection to your Syslog server:

    1. Enter the IP Address.
    2. Select the required Protocol.
    3. Enter the Port number.

      The default protocol ports are:

      • UDP - 514
      • TCP - 601
      • TLS/mTLS - 6514
  3. If you are using the mTLS protocol:

    Upload the client certificate (.p12) and enter the corresponding password.

    Note: If there is an existing certificate configured for the connection, you can View the certificate's details or Change the certificate by uploading a new one.

  4. In the Events section, select the type of appliance event data you want to send to your Syslog server by selecting Enable for Audit Events and/or System Events.
  5. In addition, for Audit Events, you can filter the type of audited event.

    For example, to send only authentication events, add the ^.*Authenticate.*$ filter.

    Note: If you have deployed the ActivID RADIUS Front End (RFE), Syslog will capture many authentication attempts when the RFE creates a pool of connections at startup.

  6. Click Save to apply the configuration.

The following illustration is an example of notifications: