Showing results for 
Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 1

Event Forwarding syslog over TCP

When configuring an Event Forwarding destination to use one of the syslog

formats, you may choose between the UDP or TCP transport protocols. UDP is the

protocol standard syslog is based on. Packets sent via syslog over TCP are

formatted exactly like their UDP counterparts including facility, severity, and

message, the only exception being a new line character (ASCII character code

10) appended to the end of the message.

Unlike UDP, which is a “connectionless” protocol, a TCP connection must be

established between the ESM and the server listening for the forwarded events. If

a connection cannot be established or the connection is dropped, the ESM keeps

track of the last event successfully forwarded, and will try to establish the

connection again in a few minutes. Once the connection is reestablished, the ESM

picks up forwarding events where it left off.

SSH Port Forwarding

If you choose to use syslog over TCP, you have the option of making the TCP

connection over an SSH tunnel. As syslog is an unencrypted protocol, using an

SSH tunnel prevents your Event Forwarding messages from being examined by

other parties.

To enabled SSH tunneling, configure your Event Forwarding destination to use one

of the syslog formats over the TCP protocol. Several options on the configuration

dialog determine how the SSH connection is made:

  • Use SSH – check this box to enable the use of the SSH tunnel
  • Local Relay Port – the port to use on the ESM`s side of the SSH connection
  • Remote SSH Port – the port on which the SSH server is listening on the other side of the SSH connection
  • Destination Port – the port on which the TCP syslog server is listening on the other side of the connection
  • SSH Username – the SSH username to use to establish the SSH connection
  • SSH DSA Key – the public DSA authentication key used for SSH authentication. The contents of this field should be added to the authorized_keys file or equivalent on the machine running the SSH server.
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community