Skip to main content
McAfee Enterprise MVISION Cloud

Configure Syslog Integration

MVISION Cloud Connector can use Syslog to receive and process incoming log data. If your egress device sends logs through Syslog, this step is needed to use Cloud Connector.

Configuring Syslog

You can configure Syslog within the Cloud Connector UI, in the MVISION Cloud UI, or you can configure it manually using a .json file. To configure multiple simultaneous Syslog streams, you must use manual configuration.

Web UI Configuration

IMPORTANT: The Web UI can only configure a single Syslog Stream, a single publisher, or both. To configure multiple streams, use manual configuration

  1. Open a web browser and enter the IP address you set during installation into the address bar.
  2. Log in using an email address and password with Cloud Connector privileges.
  3. From the Status page, click Setup Syslog Service. Or go to Log Processing > Syslog Service.
  4. Configure the following:
    • Syslog Protocol. This is the protocol on which the Syslog service listens. Possible options are UDP, TCP, and TLS-TCP for encrypted connections. When the Syslog server is running in TLS mode, it uses the same certificate as the web interface. Sending Syslog clients addresses the Syslog server by the hostname shown on the Status Overview page.
    • Port. This is the port where the syslog server listens for messages.
    • Log Filename Prefix. Each log file generated by the syslog server has a prefix and then the timestamp of the log. You can customize the prefix here.
    • Log File Directory. This is the location on your local system where the syslog log files are saved.
      NOTE: If you use a shared drive as a log location, configure the Log File Directory using the following pattern: //server/folder.
    • Process Logs Every X Minutes. Set the frequency for how often log files are rotated.
    • Maximum Log File Size. When this size of the current log file is reached, the log file is rotated and a new logfile is used.

5. Restart the MVISION Cloud Syslog Service through services control after making any changes.

Manual Configuration

The  Syslog service can monitor multiple incoming ports and process messages using multiple protocols. Syslog servers can manage multiple publishers that filter messages matching its specified protocol automatically. 

IMPORTANT: Each port must use a separate protocol. Our Syslog service cannot process more than one UDP or one TCP feed.

  1. Create a .json file named LP/config_store/syslogconfig.json and save it in the config_store/ directory on the local computer where Cloud Connector is installed.
  2. In the .json file, populate the information following the example below:
  • queueCapacity. Size of the queue for syslog message processing, leave this at 5000 and do not change unless instructed to do so by MVISION Cloud.
  • outputFileSizeInMegabytes. When this size of the current log file is reached, the log file is rotated and a new logfile is used.
  • publishPeriodInMinutes. The frequency that logs are rotated.
  • Servers. Each syslog server listens to a different port and publishes to different directories based on defined filters. Each Server requires the following configuration:
    • port. The port that the server listens to.
    • protocol. This is the message protocol used to send the syslog messages. Choose either UDP, TCP or SSLTCP.
    • publisherConfigs. Filters for incoming messages and output directories are configured here. Each publisher requires the following configuration.
      • pattern. The pattern in the incoming syslog file that the syslog server attempts to match. Wildcard character can be used here to catch multiple matching files.
      • tempFilename. The directory where the temporary logs are saved.
      • outputDirectory. This location on your local system is where the syslog log files is saved.
      • outputFilenameTemplate. Each log file generated by the syslog server has a prefix and then the timestamp of the log. You can customize the prefix here.

Configuration Example

{  
   "queueCapacity":5000,
   "outputFileSizeInMegabytes":5120,
   "publishPeriodInMinutes":60,
   "servers":[  
      {  
         "port":514,
         "protocol":"udp",
         "publisherConfigs":[  
            {  
               "pattern":".*zscaler.*",
               "tempFilename":"/shn/lp/syslog/zscaler.tmp",
               "outputDirectory":"/shn/lp/syslog/logs/zscaler",
               "outputFilenameTemplate":"syslogOut-zscaler"
            },
            {  
               "pattern":".*",
               "tempFilename":"/shn/lp/syslog/syslogudp.tmp",
               "outputDirectory":"/shn/lp/syslog/logs",
               "outputFilenameTemplate":"syslogOut-udp"
            }
         ]
      },
      {  
         "port":515,
         "protocol":"tcp",
         "publisherConfigs":[  
            {  
               "pattern":".*bluecoat.*",
               "tempFilename":"/shn/lp/syslog/bluecoat.tmp",
               "outputDirectory":"/shn/lp/syslog/logs/bluecoat",
               "outputFilenameTemplate":"syslogOut-bl"
            },
            {  
               "pattern":".*",
               "tempFilename":"/shn/lp/syslog/syslogtcp.tmp",
               "outputDirectory":"/shn/lp/syslog/logs",
               "outputFilenameTemplate":"syslogOut-tcp"
            }
         ]
      }
   ]
}
  • Was this article helpful?