Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Configuring Syslog to Collect Samhain Events

 

Before you configure JSA to integrate with Samhain HIDS using syslog, you must configure the Samhain HIDS system to forward logs to your JSA system.

The following procedure is based on the default samhainrc file. If the samhainrc file is modified, some values might be different, such as the syslog facility,

  1. Log in to Samhain HIDS from the command-line interface.
  2. Open the following file:

    /etc/samhainrc

  3. Remove the comment marker (#) from the following line:

    SetLogServer=info

  4. Save and exit the file.

    Alerts are sent to the local system by using syslog.

  5. Open the following file:

    /etc/syslog.conf

  6. Add the following line:

    local2.* @<IP Address>

    Where <IP Address> is the IP address of your JSA.

  7. Save and exit the file.
  8. Restart syslog:

    /etc/init.d/syslog restart

    Samhain sends logs by using syslog to JSA.

    You are now ready to configure Samhain HIDS DSM in JSA. To configure JSA to receive events from Samhain:

  9. From the Log Source Type list, select the Samhain HIDS option.