ASMS Monitoring and syslog messages

This section provides descriptions of how to configure ASMS to generate and send Syslog messages, as well as references of the messages generated.

ASMS can send monitoring messages using the syslog system, which is a standard for forwarding log messages in an IP network. ASMS can send syslog messages to local or remote servers, and external systems can read ASMS's monitoring messages and act upon their content.

Supported external syslog systems include SEIM (Security Information and Event Management) or SOC (Security Operations Center) systems, such as ArcSight, Check Point Eventia, CA eTrust, NetIQ, and so on.

For more details, see:

ASMS syslog message syntax

ASMS stores syslog messages locally, in the /var/log/message directory, in CEF (Common Event Format).

Each message starts with a standard syslog prefix, including the event date and time, and the ASMS machine name. This prefix is followed by the CEF-standard, bar-delimited message format.

Syslog message headers have the following syntax:

CEF:0|AlgoSec|<Product Name>|<Version>|<Event>|<Event>|<Severity>|<Domain>|<Extension>

where:

  • <Product Name>: For example: Firewall Analyzer, FireFlow, AppViz, etc.
  • <Version> is the version string. For example: v3200.0.270-b132
  • <Event> items are readable text that designates the message type.
  • <Severity> is a number between 0-7 and varies by message.
  • <Domain> is the domain name or NONE, if domains are not enabled.
  • <Extension> items contain more details in a parameter=value format.

Back to top

 

â See also: