Configuring Syslog Alerting for Intrusion Events
After you enable syslog alerting in an intrusion policy, the system sends all intrusion events to the syslog, either on the managed device itself or to an external host or hosts. If you specify an external host, syslog alerts are sent from the managed device.
Procedure
| Step 1 | In the intrusion policy editor's navigation pane, click Advanced Settings. |
| Step 2 | Make sure Syslog Alerting is Enabled, then click Edit. A message at the bottom of the page identifies the intrusion policy layer that contains the configuration. The Syslog Alerting page is added under Advanced Settings. |
| Step 3 | Enter the IP addresses of the Logging Hosts where you want to send syslog alerts. If you leave this field blank, the managed device logs intrusion events using its own syslog facility. If you leave the Logging Hosts field blank, the logging hosts details are taken from Logging in the associated Access Control Policy. The system builds a separate network map for each leaf domain. In a multidomain deployment, using literal IP addresses to constrain this configuration can have unexpected results. Using override-enabled objects allows descendant domain administrators to tailor Global configurations to their local environments. |
| Step 4 | Choose Facility and PrioritySeverity levels as described in Facilities and Severities for Intrusion Syslog Alerts. |
| Step 5 | To save changes you made in this policy since the last policy commit, choose Policy Information, then click Commit Changes. If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy. |
What to do next
-
Deploy configuration changes; see Deploy Configuration Changes.