Table of Contents
- Getting Started
- Agent-Based Management
- Common Tasks
- Data Providers
- Directory Services
- Auditing
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- Active Directory User Monitor Templates
- File and Directory Monitor Templates
- Windows Monitor Templates
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- Account Lockout Monitor Template
- Audit Policy Monitor Template
- Logon As Monitor Template
- Logon Monitor Template
- Performance Counter Monitor Template
- PowerShell Template
- Process Monitor Template
- RDP Session Monitor Template
- Registry Value Monitor Template
- Service Monitor Template
- SMART Disk Monitor Template
- System Security Monitor Template
- Windows Update Template
- WMI Query Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Network and Application Monitor Templates
- SSL Certificate Monitor Templates
- Database Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
- Monitors
- Reports
- Auto-Configurators
- Filters
- Actions
- Schedules
- Environment Variables
- Options
- SNMP
- SSH Shell
- Syslog
- System Reset
- Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
- Command Line Interface
- Server Configuration
- Agent Configuration
- Troubleshooting
- Terminology
Corner Bowl Server Manager
SIEM, IPS, Server Monitoring, Uptime Monitoring and Compliance Software
Syslog Server Settings
Server Manager contains both UDP and TCP Syslog Servers. These syslog servers can be used to save, backup, relay, and monitor syslog messages from hardware devices such as switches, routers, firewalls or any computer that supports syslog such as Linux servers. By default, when a message is sent from a device, the receiving Syslog server automatically adds the device's IP or hostname to the Explorer View then automatically saves all messages to Server Manager's centralized syslog database.
In this Topic
How to configure the Syslog Servers
- From the Explorer View, navigate to Options, then select Syslog Server Settings. The Syslog Server Settings View displays. The Agent Server Properties View contains 3 tabs.
- Options
- Assignments
- Columns
UDP Syslog Server
- Check the Enabled check box to enable the UDP Syslog Server.
- Use the Port text box to specify the port.
- Use the Bind address text box to specify the IP address to bind the server. 0.0.0.0 binds to all local IP addresses.
- Use the Queue size text box to specify the queue size.
Note
Note: Anytime the queue is full and therefore unable to keep up with the incoming Syslog messages, new messages are dropped until the system is able to recover.
- Use the Batch size text box to specify the number of syslog messages to batch process.
Note
Note: The batch size must be less than the queue size.
Note
When saving syslog messages to Microsoft SQL Server, Server Manager utilizes SQL Server's batch insert capabilities. If you find your server is frequently dropping messages, consider switching to SQL Server. SQL Server provides far superior throughput over MySQL and Sqlite.
- Clicking Clear DNS Cache empties any prior DNS cached values.
TCP Syslog Server
- Check the Enabled check box to enable the TCP Syslog Server.
- Use the Port text box to specify the port.
- Use the Bind address text box to specify the IP address to bind the server. 0.0.0.0 binds to all local IP addresses.
- Use the Idle timeout text box to specify the timeout in seconds.
- Use the Encrypt check box to enable TLS 1.2.
- Use the Certificate drop-down to select a certificate from your Windows Local Computer Certificate Store.
- Check the Close duplicate connections check box to clean up duplicate connections.
Message Delimiters
Use the message delimeter option to configure how multiple TCP syslog messages are delimited when multiple messages are sent within the same packet.
- Check the CRLF check box to enable CRLF (ASCII 13, ASCII 10) delimiters.
- Check the CR check box to enable CR (ASCII 13) delimiter.
- Check the LF check box to enable LF (ASCII 10) delimiter.
- Check the NULL check box to enable NULL (ASCII 0) delimiter.
Options
- Use the Add all new hosts check box to automatically add any syslog device to the software when a syslog message is received from the device for the first time.
Note
Devices sending syslog messages to Server Manager are automatically be added to the Explorer View under the Hosts/Syslog Devices node then the templates, such as Syslog Consolidation automatically assigned. If you prefer to explicitly specify which Syslog devices can save messages to the Log Database, clear this option then manually add each Syslog device you want to support. Finally, assign the Syslog Consolidation template to each new Syslog device or the Host Group where you added the Syslog devices.
- Use the Host identification method drop-down to select how you would like connecting hosts to be identified.
| Option | Description |
|---|---|
| DNS Lookup | The server uses DNS to resolve the hostname. |
| DNS and FQDN Lookup | The server uses DNS and Active Directory to resolve the Fully Qualified Domain Name (FQDN). |
| Remote IP Address | The server uses the IP address. |
- Check the Enable RFC 5424 parsing check box to enable RFC 5424 parsing. For more information see: The Syslog Protocol
- Check the Enable RFC 3164 parsing check box to enable RFC 3164 parsing. For more information see: The BSD syslog Protocol
Important
RFC 5424 obsoletes RFC 3164.
- Check the Enable verbose logging check box to enable detailed logging.
Syslog Server Properties View
How to relay syslog messages
Corner Bowl Server Manager can be used to relay syslog messages to other syslog collectors.
To relay syslog messages
- From the Explorer View, expand the root Templates node, expand Sample Templates | Log Consolidation then right click on Syslog Relay and select Template Properties. The Template Properties View displays.
- From the Template Properties View, select the Rules Tab.
- From the Rules controls, find the Actions column. Notice the Syslog Relay action that is assigned. This action needs to be modified to configure the Syslog Collector Host to relay syslog messages too. Click the Edit
button. The Action Properties View displays. - From the Action Properties View, use the Syslog server drop-down to select the target Syslog Collector Host.
Important
If the host or IP has not been added, click the Add 
button, then add the host or IP.
button, then add the host or IP.- Click Close, then when prompted to save your changes, click Yes.
- From the Template Properties View, use the Assignments controls to assign the localhost to the Syslog Relay Template.
- Click Close, then when prompted to save your changes, click Yes.