Alerts Settings: Syslog
Use the Syslog tab in the Alerts Settings dialog box to configure DeviceLock Service for syslog.
To open this dialog box, do either of the following:
•Right-click Alerts in the console tree, and then click Manage.
•Select
Alerts in the console tree, and then click
Manage 
on the toolbar.
•Select Alerts in the console tree; then, in the details pane, right-click Syslog and click Manage.
•Select Alerts in the console tree, and then double-click Syslog in the details pane.
Note: You can define different online vs. offline alert settings. Online alert settings (Regular Profile) apply to client computers that are working online. Offline alert settings (Offline Profile) apply to client computers that are working offline. By default, DeviceLock works in offline mode when the network cable is not connected to the client computer. For detailed information on DeviceLock offline policies, see
DeviceLock Security Policies (Offline Profile). |
You can configure DeviceLock Service to automatically send alert notifications to the specified syslog server when alert conditions occur. These alerts are sent only when all of the following conditions are met:
•The syslog server is set up to receive messages.
•The remote computer running the syslog server is accessible from all computers running DeviceLock Service.
•Sending alerts to the syslog server is configured.
DeviceLock comes with ready-to-use syslog message templates. These templates determine the basic content, format, and structure of notifications. DeviceLock provides the following templates:
•A syslog message for administrative alerts.
•A syslog message for all other alerts.
Each template contains the following information:
•Message body - The text used in the body of syslog message. The message body is the same in both templates and includes static text and macros. The default static text in the message body is “The following event has occurred”. You can use the following predefined macros to insert additional information in the body of the syslog message:
•%EVENT_TYPE% - The class of event: Success for allowed access, Failure for denied access, or Information for administrative events.
•%COMP_NAME% - The name of the computer from which the event was received.
•%COMP_FQDN% - The fully-qualified domain name of the computer from which the event was received.
•%COMP_IP% - The comma-delimited list of all network addresses (IPs) associated with the computer.
•%DATE_TIME% - The date and time when the event was received by DeviceLock Service. The date and time are displayed based on the client computer’s regional and language settings.
•%SOURCE% - The type of device or protocol involved.
•%ACTION% - The user’s activity type.
•%NAME% - The name of the object (file, USB device, etc.).
•%INFO% - Other device-specific information for the event, such as the access flags, device names, and so on.
•%REASON% - The cause of the event.
•%USER_NAME% - The name of the user associated with this event.
•%USER_SID% - The security identifier (SID) of the user associated with this event.
•%PROC_NAME% - The name of the process associated with this event.
•%PROC_ID% - The identifier of the process associated with this event.
•%EVENT_ID% - The number identifying the particular event type.
•%SUMMARY_TABLE% - A table detailing individual events for aggregated alerts.
These macros are replaced with their actual values at the message generation time.
Complete the Syslog tab as follows:
•Server - Specify the IP address or fully qualified domain name of the syslog server.
•Protocol - Select TCP or UDP as the method of communication with the syslog server. The default selection is UDP.
•Port - Specify the port number on which to send syslog messages. The default value is 514.
•Framing - Specify the framing method for syslog messages when transported over TCP. DeviceLock supports these methods: Zero byte, LF, CR+LF, Message length.
•Name - Specify the unique name for the log channel. The default name is DeviceLockAlert.
•Facility code - Select a syslog standard value (between 0 and 23) to specify the type of program that is logging the message.
•Message size - Specify the syslog message size, in bytes. The default size is 65535 bytes.
•Edit Message - Customize the predefined contents of the syslog message for alerts based on the template.
In the Syslog Message for Alerts dialog box that opens you can also do the following:
•Select the message severity level using Level drop-down menu.
•Load the specified message body from a tab-delimited text file (.txt). To do so, click Load. The entire contents of the file are loaded.
•Restore the default settings. To do so, click Restore Defaults.
•Edit Admin. Message - Customize the predefined contents of the syslog message for administrative alerts based on the template.
In the Syslog Message for Administrative Alerts dialog box that opens you can also do the following:
•Select the message severity level using Level drop-down menu.
•Load the specified message body from a tab-delimited text file (.txt). To do so, click Load. The entire contents of the file are loaded.
•Restore the default settings. To do so, click Restore Defaults.
•Threshold - Specify the time interval (in hours, minutes and seconds) used for the aggregation of events when generating alerts. DeviceLock Service combines multiple similar events occurring within the threshold time and generates a summary in a single alert if all of the following conditions are true:
a) The events are of the same type (Success, Failure, or Information).
b) The events are associated with the same device type/protocol.
c) The events are associated with the same user.
d) The events are associated with the same PID.
The default value is 10 minutes.
Note: DeviceLock Service combines only access-related events when generating alerts. Administrative events are not aggregated. |
•Test - Send a test syslog message to verify that DeviceLock Service is configured correctly. This test operation can have two different outcomes, each resulting in a different message being displayed:
•The test can complete successfully, meaning that a test message was successfully sent using the configured syslog parameters. The resulting message states: “Test Syslog alert was successfully sent.”
•The test can fail, meaning that a test message was not sent. The resulting message states: “Test Syslog alert was not sent due to error: <error description>.”
