Send system notifications to a remote syslog server
The syslog export option enables you to send alerts or audit logs from an ExtraHop
system to any remote system that receives syslog input for long-term archiving and
correlation with other sources.
Only one remote syslog server can be configured for each ExtraHop system.
You can send the following types of notifications to the syslog:
By default, syslog messages are not compliant with RFC 3164 or RFC 5424.
However, you can format syslog messages to be compliant by modifying the running
configuration file.
Click Admin.
Click Running Config (Unsaved Changes).
Click Edit Config.
Add an entry under syslog_notification, where the key
is rfc_compliant_format and the value is either
rfc5424 or rfc3164.
The syslog_notification section should look similar
to the following
code:
(Optional): Modify the time zone referenced in syslog timestamps.
By default, syslog timestamps reference UTC time. However, you can modify
timestamps to reference the ExtraHop system time by modifying the running
configuration file.
Click Admin.
Click Running Config (Unsaved Changes).
Click Edit Config.
Add an entry under syslog_notification where the key
is syslog_use_localtime and the value is
true.
The syslog_notification section should look similar
to the following
code:
After you confirm that your new settings are working as expected, preserve your
configuration changes through system restart and shutdown events by saving the running
configuration file.
Thank you for your feedback. Can we contact you to ask follow up questions?