syslog-ng
capabilities on the BDDS to
forward database logs to a remote ArcSight server. By default, log messages of all
services running on the Distributed DDNS Data Node are forwarded.The BDDS must be able to communicate with the ArcSight logging server. Ensure that the firewall rules allow for the communication with the ArcSight server and that the BDDS can route traffic to the server.
The ArcSight logging server must be configured to receive messages from the BDDS.
Log in to the console of the BDDS with the Data Node configured as the
root
user.Create a new directory for
syslog-ng
using the following command:mkdir /etc/syslog-ng/scl/distributed_ddns/
Click here to download the dddns_db.conf configuration file and place the file within the newly created directory.
Tip: If the BDDS runs multiple containers, you can configure it to forward logs from all of them. To do so, simply store corresponding configuration files for each container in this directory, renaming the file if necessary.Log in to the Address Manager UI that controls the BDDS.
Select the Servers tab.
Under Servers, click the name of the BDDS with the Data Node deployed that contains the configuration file and newly created directory. The Details tab for the server opens.
Click the server name menu and select Service Configuration.
From the Service Type drop-down menu, select Syslog.
Under SIEM Settings, set the following parameters:
- Enable ArcSight Forwarding: select the check box and enter the IP address of the ArcSight server.
Click Update.
For more information on the format of the log messages sent to the remote server, see Reference: CEF message format.