Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation
keyboard_arrow_up
close
keyboard_arrow_left
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Configuring Syslog to Collect Samhain Events

date_range 27-Mar-21

Before you configure JSA to integrate with Samhain HIDS using syslog, you must configure the Samhain HIDS system to forward logs to your JSA system.

The following procedure is based on the default samhainrc file. If the samhainrc file is modified, some values might be different, such as the syslog facility,

  1. Log in to Samhain HIDS from the command-line interface.
  2. Open the following file:

    /etc/samhainrc

  3. Remove the comment marker (#) from the following line:

    SetLogServer=info

  4. Save and exit the file.

    Alerts are sent to the local system by using syslog.

  5. Open the following file:

    /etc/syslog.conf

  6. Add the following line:

    local2.* @<IP Address>

    Where <IP Address> is the IP address of your JSA.

  7. Save and exit the file.
  8. Restart syslog:

    /etc/init.d/syslog restart

    Samhain sends logs by using syslog to JSA.

    You are now ready to configure Samhain HIDS DSM in JSA. To configure JSA to receive events from Samhain:

  9. From the Log Source Type list, select the Samhain HIDS option.
footer-navigation