{tbl.open,width:100%,align:center,heading:Syslog Help} Basic Syslog Processor Setup Help

  • Create a database for the storage of incoming syslog data.
  • Ensure permissions on the database allow for insert, delete, create, alter, update, and drop access.
  • Import the syslog_tables.txt MySQL file into your newly created syslog database (located in your consoles /syslog/ directory).
  • Configure the username, password, database name and host within the Aanval Console Syslog Processor Module.
  • Start the idsSyslog.pl background script to begin receiving syslog data.
  • Enable the Syslog Processor Module.
  • Activate detected syslog sensors.
  • Edit sensor filters to correctly normalize data specific for the sensor.

  • Commercial Support Assistance is available to help install, configure and manage the Syslog Processor. Contact Aanval or visit your myAanval Portal account for details. {tbl.close} {tbl.open,width:100%,align:center,heading:Frequently Asked Questions} What is the Syslog Processor?
    The Syslog Processor is a powerful feature built into Aanval which allows for the importing and normalizing of any syslog data sent to Aanval.

    What kind of syslog data can be received?
    The Syslog Processor can receive any data sent via the syslog protocol (UDP Port 514). * Note, this port can be changed if needed (edit idsSyslog.pl).

    How does the console receive syslog data?
    The Syslog Processor receives syslog data via the perl script idsSyslog.pl which resides in your Aanval installations /apps/ directory. This script is executed and listens by default on UDP port 514 for incoming syslog data.

    How do I execute the idsSyslog.pl script correctly?
    From within your consoles /apps/ directory issue the following command to launch the idsSyslog.pl script in the background: (ensure there is no other syslog server listening before launching - on some OS's you may need to disable the built in syslog server first)

    nohup perl ./idsSyslog.pl > /dev/null &

    How do I setup the syslog database?
    The file syslog_tables.txt is located within your consoles /syslog/ directory. This file is in MySQL format and should be used to create the needed database structure for the syslog processor. On most systems the following commands may be used:

    mysqladmin create syslog
    mysql syslog < syslog_tables.txt

    Some users may need to include the appropriate arguments for users and passwords for MySQL. For additional assistance, please see your MySQL documentation.

    How do I test if the syslog processor is receiving syslog data?
    To test whether or not the syslog processor is receiving data correctly, please stop any idsSyslog.pl scripts which may be running and execute the following command from your consoles /apps/ directory:

    perl ./idsSyslog.pl

    This will execute the script in the foreground and display any and all incoming syslog data which is being received. If you are unable to see any incoming data, chances are there is a firewall blocking the incoming data, there is another syslog server running or your devices are not properly sending syslog data. {tbl.close}