Log forwarding leverages the syslog-ng capabilities on the BDDS to
forward service logs to a remote ArcSight server. By default, log messages of all
services running on the Distributed DDNS Service Node are forwarded.
Note: Logs are sent
remotely using UDP on port 514.
Prerequisites
- The BDDS must be able to communicate with the ArcSight logging server. Ensure that the firewall rules allow for the communication with the ArcSight server and that the BDDS can route traffic to the server.
- The ArcSight logging server must be configured to receive messages from the BDDS.
To configure log forwarding on Service Nodes:
- Log in to the console of the BDDS with the Service Node configured as the root user.
- Create a new directory for syslog-ng using the following
command:
mkdir /etc/syslog-ng/scl/distributed_ddns/
- Click here to download the ddns.conf configuration file and place the file within the newly created directory.
- Log in to the Address Manager UI that controls the BDDS.
- Select the Servers tab.
- Under Servers, click the name of the BDDS with the Service Node deployed that contains the configuration file and newly created directory. The Details tab for the server opens.
- Click the server name menu and select Service Configuration.
- From the Service Type drop-down menu, select Syslog.
- Under SIEM Settings, set the following parameters:
- Enable ArcSight Forwarding: select the check box and enter the IP address of the ArcSight server.
- Click Update.
For more information on the format of the log messages sent to the remote server, refer to Reference: CEF message format.