Product Requirements
- RevealX Enterprise and ExtraHop Performance systems
Thank you! We will contact you soon to ask how we can improve our documentation. We appreciate your feedback.
Was this topic helpful?
How can we improve?
*This field is required. Please let us know how we can provide you with better help.
Need more help?
Ask the Community
Send system notifications to a remote syslog server
The syslog export option enables you to send alerts from an ExtraHop system to any remote system that receives syslog input for long-term archiving and correlation with other sources.
Only one remote syslog server can be configured for each ExtraHop
system.
- Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
- In the Network Settings section, click Notifications.
- In the Destination field, type the IP address of the remote syslog server.
-
From the Protocol drop-down list, select
TCP or UDP.
This option specifies the protocol over which the information will be sent to your remote syslog server.
-
In the Port field, type the port number for your remote
syslog server.
The default value is 514.
-
Click Test Settings to verify that
your syslog settings are correct.
If the settings are correct, you should see an entry in the syslog log file on the syslog server similar to the following:
Jul 27 21:54:56 extrahop name="ExtraHop Test" event_id=1
- Click Save.
- (Optional):
Modify the format of syslog messages.
By default, syslog messages are not compliant with RFC 3164 or RFC 5424. However, you can format syslog messages to be compliant by modifying the running configuration file.
- Click Admin.
- Click Running Config (Unsaved Changes).
- Click Edit Config.
-
Add an entry under syslog_notification, where the key
is rfc_compliant_format and the value is either
rfc5424 or rfc3164.
The syslog_notification section should look similar to the following code:
"syslog_notification": { "syslog_destination": "192.168.0.0", "syslog_ipproto": "udp", "syslog_port": 514, "rfc_compliant_format": "rfc5424" }
- Click Update.
- Click Done.
- (Optional):
Modify the timezone referenced in syslog timestamps.
By default, syslog timestamps reference UTC time. However, you can modify timestamps to reference the ExtraHop system time by modifying the running configuration file.
- Click Admin.
- Click Running Config (Unsaved Changes).
- Click Edit Config.
-
Add an entry under syslog_notification where the key
is syslog_use_localtime and the value is
true.
The syslog_notification section should look similar to the following code:
"syslog_notification": { "syslog_destination": "192.168.0.0", "syslog_ipproto": "udp", "syslog_port": 514, "syslog_use_localtime": true }
- Click Update.
- Click Done.
Next steps
After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the running configuration file.
Thank you for your feedback. Can we contact you to ask follow up questions?