Task Select Manager → → Setup → Notification → User Activity → Syslog. The Syslog page is displayed. Fill in the following fields: Field Description Enable Syslog Notification Yes is enabled; No is disabled Admin Domain Current— Send notifications for audit information in the current domain. Always enabled for current domain. Children— Include audit information for all child domains of the current domain. Server Name or IP Address Type either the Host IP Address or Server Name of the syslog server where audit information will be sent. For Host IP address, you can enter either IPv4 or IPv6 address. Port Port on the target server which is authorized to receive syslog messages. The standard port for syslog, 514, is pre-filled in the field. Facilities Standard syslog prioritization value. The choices are as follows: Security/authorization (code 4) Security/authorization (code 10) Log audit (note 1) Log alert (note 1) Clock daemon (note 2) Local user 0 (local0) Local user 1 (local1) Local user 2 (local2) Local user 3 (local3) Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) Result Mapping You can map each audit result (Failed to, Successful to, and In Progress to) to one of the standard syslog severities listed below (default result severities are noted in parentheses): Emergency— System is unusable Alert— Action must be taken immediately Critical— (HIGH) Critical conditions Error— Error conditions Warning— (MEDIUM) Warning conditions Notice— (LOW) Normal but significant condition Informational— (INFORMATIONAL) Informational message Debug— Debug-level messages Forward Audit Select the severity of the audit that you want to be forwarded to the syslog server. The options are: Allow all Auditlogs Failed only Successful only In Progress only Message Preference Select the preference of the message. The options are: System default— This is available by default Customized— This is available once the notification is enabled Click Apply. Import Digital CertificateTrellix uses SSL as the transport mechanism to forward logs to a remote syslog server. Establishing trust between the Trellix appliance and the syslog receiver (Graylog) requires importing a new root CA in the Trellix appliance.NOTE: the root CA file (.crt) to import will be provided by the SOCFortress team. Perform the following steps to import the certificate: Import the CA certificate to the Manager Keystore: Copy the exported CA certificate CRT file to \config folder. Note: Replace all with :\Program Files (x86)\McAfee\Network Security Manager\App. In the Manager, navigate to Start → Run type cmd, and press ENTER. Import the certificate: For Manager version 8.1 or later, type the following command and press ENTER: \jre\bin\keytool.exe -import -alias "syslog-server" -keystore \config\CustomSecurity\customjssecacerts -file\config\CustomSecurity\syslog-server.crt For Manager versions earlier than 8.1, type the following command and press ENTER: \jre\bin\keytool.exe -import -alias "syslog-server" -keystore \config\jssecacerts -file \config\syslog-server.crt In the Password prompt, type changeit, and press ENTER. In the Trust this certificate prompt, type yes. Verify the certificate import: In the Manager, navigate to Start → Run type cmd, and press ENTER. Type the following: For Manager version 8.1 or later, type the following: \jre\bin\keytool.exe -list -keystore \config\CustomSecurity\customjssecacerts For Manager versions earlier than 8.1, type the following: \jre\bin\keytool.exe -list -keystore \config\jssecacerts The alias name LDAP certificate is listed. Restart the Manager service: In the Manager, navigate to Start → Run type cmd, and press ENTER. Click the Network Security Platform icon in the taskbar, and select Start Manager.
Task Select Manager → → Setup → Notification → User Activity → Syslog. The Syslog page is displayed. Fill in the following fields: Field Description Enable Syslog Notification Yes is enabled; No is disabled Admin Domain Current— Send notifications for audit information in the current domain. Always enabled for current domain. Children— Include audit information for all child domains of the current domain. Server Name or IP Address Type either the Host IP Address or Server Name of the syslog server where audit information will be sent. For Host IP address, you can enter either IPv4 or IPv6 address. Port Port on the target server which is authorized to receive syslog messages. The standard port for syslog, 514, is pre-filled in the field. Facilities Standard syslog prioritization value. The choices are as follows: Security/authorization (code 4) Security/authorization (code 10) Log audit (note 1) Log alert (note 1) Clock daemon (note 2) Local user 0 (local0) Local user 1 (local1) Local user 2 (local2) Local user 3 (local3) Local user 4 (local4) Local user 5 (local5) Local user 6 (local6) Local user 7 (local7) Result Mapping You can map each audit result (Failed to, Successful to, and In Progress to) to one of the standard syslog severities listed below (default result severities are noted in parentheses): Emergency— System is unusable Alert— Action must be taken immediately Critical— (HIGH) Critical conditions Error— Error conditions Warning— (MEDIUM) Warning conditions Notice— (LOW) Normal but significant condition Informational— (INFORMATIONAL) Informational message Debug— Debug-level messages Forward Audit Select the severity of the audit that you want to be forwarded to the syslog server. The options are: Allow all Auditlogs Failed only Successful only In Progress only Message Preference Select the preference of the message. The options are: System default— This is available by default Customized— This is available once the notification is enabled Click Apply. Import Digital CertificateTrellix uses SSL as the transport mechanism to forward logs to a remote syslog server. Establishing trust between the Trellix appliance and the syslog receiver (Graylog) requires importing a new root CA in the Trellix appliance.NOTE: the root CA file (.crt) to import will be provided by the SOCFortress team. Perform the following steps to import the certificate: Import the CA certificate to the Manager Keystore: Copy the exported CA certificate CRT file to \config folder. Note: Replace all with :\Program Files (x86)\McAfee\Network Security Manager\App. In the Manager, navigate to Start → Run type cmd, and press ENTER. Import the certificate: For Manager version 8.1 or later, type the following command and press ENTER: \jre\bin\keytool.exe -import -alias "syslog-server" -keystore \config\CustomSecurity\customjssecacerts -file\config\CustomSecurity\syslog-server.crt For Manager versions earlier than 8.1, type the following command and press ENTER: \jre\bin\keytool.exe -import -alias "syslog-server" -keystore \config\jssecacerts -file \config\syslog-server.crt In the Password prompt, type changeit, and press ENTER. In the Trust this certificate prompt, type yes. Verify the certificate import: In the Manager, navigate to Start → Run type cmd, and press ENTER. Type the following: For Manager version 8.1 or later, type the following: \jre\bin\keytool.exe -list -keystore \config\CustomSecurity\customjssecacerts For Manager versions earlier than 8.1, type the following: \jre\bin\keytool.exe -list -keystore \config\jssecacerts The alias name LDAP certificate is listed. Restart the Manager service: In the Manager, navigate to Start → Run type cmd, and press ENTER. Click the Network Security Platform icon in the taskbar, and select Start Manager.