Monday
We have an active Syslog configuration.
Now the IP of the Syslog receiver will be changed.
At which point is the IP configuration of the Syslog done?
Solved! Go to Solution.
Tuesday
Mr. Pala is correct. You can forward syslog from SE to a third-party via Alarm actions, Control Notification rules and by making custom changes to the rsyslog configuration under-the-hood on SE itself. Those would be the three places you would have to look at.
Alarms & Events -> Alarm Configuration -> sort by Action -> look for any that are tied to syslog actions
Control -> Access Control -> Configuration -> Notifications -> look for any that are tied to syslog actions
/etc/rsyslog.conf under-the-hood via SSH
Tuesday
check your alarm configuration = probably you are senting events to external syslog server through alarm rule.
Check NAC notifications = it is a common approach to send NAC related events to external syslog server.
Check the security best practices document (documentation) there are additional options how to configure syslog export.
Tuesday
Mr. Pala is correct. You can forward syslog from SE to a third-party via Alarm actions, Control Notification rules and by making custom changes to the rsyslog configuration under-the-hood on SE itself. Those would be the three places you would have to look at.
Alarms & Events -> Alarm Configuration -> sort by Action -> look for any that are tied to syslog actions
Control -> Access Control -> Configuration -> Notifications -> look for any that are tied to syslog actions
/etc/rsyslog.conf under-the-hood via SSH
Thursday
My configuration was under
Control -> Access Control -> Configuration -> Notifications
Many thanks for the hint.
Monday
We forward the logs from XIQ-SE to our SIEM solutions.
The SIEM Solutions will be changed. So I have to change the IP in the Syslog forwarding configuration.
Does this make my request more clear?