Download PDF

Product Requirements

RevealX Enterprise and ExtraHop Performance systems

Thank you! We will contact you soon to ask how we can improve our documentation. We appreciate your feedback.

Was this topic helpful?

Yes No

Thank you for your feedback. Can we contact you to ask follow up questions?

How can we improve?

Need more help?

Ask the Community

Send system notifications to a remote syslog server

The syslog export option enables you to send alerts or audit logs from an ExtraHop system to any remote system that receives syslog input for long-term archiving and correlation with other sources.

Only one remote syslog server can be configured for each ExtraHop system.

You can send the following types of notifications to the syslog:

Storage alert notifications
ExtraHop alert notifications

Note:

To send audit logs, see Send audit log data to a remote syslog server

Log in to the Administration settings on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
In the Network Settings section, click Notifications, then click Syslog.
In the Destination field, type the IP address of the remote syslog server.
From the Protocol drop-down menu, select TCP or UDP.
This option specifies the protocol over which the information will be sent to your remote syslog server.
In the Port field, type the port number for your remote syslog server.
The default value is 514.
Click Test Settings to verify that your syslog settings are correct.
If the settings are correct, you should see an entry in the syslog log file on the syslog server similar to the following:
```
Jul 27 21:54:56 extrahop name="ExtraHop Test" event_id=1
```
Click Save.
(Optional): Modify the format of syslog messages.
By default, syslog messages are not compliant with RFC 3164 or RFC 5424. However, you can format syslog messages to be compliant by modifying the running configuration file.
1. Click Admin.
2. Click Running Config (Unsaved Changes).
3. Click Edit Config.
4. Add an entry under syslog_notification, where the key is rfc_compliant_format and the value is either rfc5424 or rfc3164.
  The syslog_notification section should look similar to the following code:
```
    "syslog_notification": {
        "syslog_destination": "192.168.0.0",
        "syslog_ipproto": "udp",
        "syslog_port": 514,
        "rfc_compliant_format": "rfc5424"
    }
```
5. Click Update.
6. Click Done.
(Optional): Modify the time zone referenced in syslog timestamps.
By default, syslog timestamps reference UTC time. However, you can modify timestamps to reference the ExtraHop system time by modifying the running configuration file.
1. Click Admin.
2. Click Running Config (Unsaved Changes).
3. Click Edit Config.
4. Add an entry under syslog_notification where the key is syslog_use_localtime and the value is true.
  The syslog_notification section should look similar to the following code:
```
    "syslog_notification": {
        "syslog_destination": "192.168.0.0",
        "syslog_ipproto": "udp",
        "syslog_port": 514,
        "syslog_use_localtime": true
    }
```
5. Click Update.
6. Click Done.

Next steps

After you confirm that your new settings are working as expected, preserve your configuration changes through system restart and shutdown events by saving the running configuration file.

Last modified 2025-01-22

Documentation

Concepts

How To's

Walkthroughs

Admin Guides

API Guides

Deployment

Products

Network Detection and Response

Network Performance Monitoring

RevealX™ Platform

Customers

Community

Partners

Support

Training

Resources

Customer Stories

Integrations

Company

About Us

Careers

Newsroom

Events

Blog

Send system notifications to a remote syslog server