How does the Syslog Service work?


This article applies to:

  • Security Reporting Center 2.0
  • Security Reporting Center 2.1

Question:

How does the Syslog Service work?

Information:

The purpose of the NetIQ Syslog Service is to make firewall log files accessible by the Security Reporting Center machine.  The Syslog daemon of the NetIQ Syslog Service collects firewall log data from the firewall via UDP port 514. The daemon collects the firewall data and creates a log file on the machine running Security Reporting Center. These log files remain until the user deletes them.

The NetIQ Syslog Service standardizes the prefix of the firewall log file records. In the following example, the part of the firewall record that is formatted by NetIQ Syslog Service appears in bold.

WTsyslog [2001-11-01 00:31:41 ip=192.168.9.1 pri=6] 304001 192.168.10.20 accessed URL 192.9.24.116:template/sunstyle.css

Security Reporting Center checks each Syslog packet received on port 514 for its originator and tries to match this to the firewall IP address.  As a result, Security Reporting Center can be configured to report on more than one firewall using Syslog servers.  By looking at these packets and comparing their IP addresses, Security Reporting Center can tell which Syslog data packet belongs to which firewall.

Notes:

The firewall must be configured to use the NetIQ Syslog Service.  Please refer to the Firewall Configuration Guide for instruction. The guide can be found on the following Documentation page of the Marshal website:

https://support.trustwave.com/Security-Reporting-Center/documentation.asp

Because NetIQ Syslog Service runs as a Windows service, you must run Security Reporting Center on a Windows NT, Windows 2000, or Windows XP system and you must have administrator rights to configure the application to run as a service.

This article was previously published as:
NETIQKB13582
NETIQKB18295

Last Modified 4/10/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10556.aspx