Syslog integration SPP & SPS 6.11

Hi There,

We have configured a Syslog Server (Linux) in SPP and SPS. The Syslog server feeds the Azure SentiNel SIEM solution.

In SPP, I am using External Integration -> Syslog

In SPS, I am using Universal SIEM Forwarder.

Connections work fine (verified through the telnet tool in SPP and SPS to check if the SPP & SPS are connecting to the Syslog server over the TCP port assigned to the Syslog server). We are connecting over non-SSL for now. The format is CEF.

However, there is no relay of events to the Syslog server from both SPP and SPS. I don't see any SPP/SPS events listed in the Syslog server. Wondering why?

For SPP, we used the facility "User" and user-related events such as user authentication, user-created, deleted, etc. Tried a "Test Event" and it shows the event fired successfully but I don't have any events in the Syslog server.

Any further steps required to be done here? Appreciate any suggestions.

Regards,

Rajeeb

0 Tawfiq.Ahmad over 2 years ago

Hi Rajeeb,

If there is a firewall between (SPP or SPS) and the Syslog server, I would check if any traffic is arriving to the firewall at all for the Syslog server as destination to determine if the issue is firewall related or configuration related in SPP or SPS.

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Endpoint Privilege Management

Syslog integration SPP & SPS 6.11