0 Replies Latest reply on Oct 19, 2012 12:02 PM by jaimen

    Event Forwarding syslog over TCP

      When configuring an Event Forwarding destination to use one of the syslog

      formats, you may choose between the UDP or TCP transport protocols. UDP is the

      protocol standard syslog is based on. Packets sent via syslog over TCP are

      formatted exactly like their UDP counterparts including facility, severity, and

      message, the only exception being a new line character (ASCII character code

      10) appended to the end of the message.

       

      Unlike UDP, which is a “connectionless” protocol, a TCP connection must be

      established between the ESM and the server listening for the forwarded events. If

      a connection cannot be established or the connection is dropped, the ESM keeps

      track of the last event successfully forwarded, and will try to establish the

      connection again in a few minutes. Once the connection is reestablished, the ESM

      picks up forwarding events where it left off.

       

      SSH Port Forwarding

      If you choose to use syslog over TCP, you have the option of making the TCP

      connection over an SSH tunnel. As syslog is an unencrypted protocol, using an

      SSH tunnel prevents your Event Forwarding messages from being examined by

      other parties.

       

      To enabled SSH tunneling, configure your Event Forwarding destination to use one

      of the syslog formats over the TCP protocol. Several options on the configuration

      dialog determine how the SSH connection is made:

      • Use SSH – check this box to enable the use of the SSH tunnel
      • Local Relay Port – the port to use on the ESM`s side of the SSH connection
      • Remote SSH Port – the port on which the SSH server is listening on the other side of the SSH connection
      • Destination Port – the port on which the TCP syslog server is listening on the other side of the connection
      • SSH Username – the SSH username to use to establish the SSH connection
      • SSH DSA Key – the public DSA authentication key used for SSH authentication. The contents of this field should be added to the authorized_keys file or equivalent on the machine running the SSH server.