I have a single MWG7.3 and WR5.2 in my environement and I'm now going to be adding more appliances. I've found references to the following documents for setting up WR with mutiple appliances however FTP is disabled so I cannot check.
Are they all the same document? I've managed to download the doc in this post which looks promising but want ot be sure I have up2date info
Also, if I have configured SYSLOG to push to SIEM, do I also need to create additional log rules for each appliance here?
This document is a little dated for 7.0.
I'm not sure exactly which version this was added, but you don't need to do the same with current versions.
If you have multiple machines in a central management cluster, you can use the %h variable on the Destination and Host Autopushing parameters to provide unique values per appliance's host name.
So if I setup Web Reporter to accept incoming log file files from 3 appliances: mwg7-1, mwg7-2 and mwg7-3 and those are the host names of each appliance, I can substitute %h for the username:
If I wanted to push the access log from each MWG to a different FTP directory, i would do something like this:
You will need to make sure all the passwords are the same for each appliance because the shared configuration in a cluster gets replicated and the password cannot be substituted.
As for Syslog, i don't know which SIEM you use, but most syslog servers identify the sources by the IP address of the sender. you may not need to have a seperate log source in your case.
Spelling on 2/5/13 12:11:26 PM EST