The Syslog passive monitor listens for Syslog messages on the devices to which it is assigned. Syslog is a standard for computer data logging that separates the software that generates messages from the system that stores them and the software that reports and analyzes the logs.

Syslog messages refer to a facility (the type of program that logged the message) and are assigned a severity by the sender of the message. For more information about Syslog facilities and levels of severity, see RFC5424 (page 9 for facilities and page 10 for levels of severity). For an example of why you might create a Syslog Event, see Example of a Syslog Monitor (event).

The Syslog passive monitor does not require credentials to passively listen for Syslog messages.

Configure the Syslog passive monitor using the following boxes::

  • Name. Enter a unique name for the passive monitor. This name displays in the Monitor Library.
  • Description. (Optional) Enter a short description for the passive monitor. This description displays next to the monitor in the Monitor Library.
  • Match On. Click Add to create a syslog rules expression match scenario, test it, and compare it to syslog messages. The Rules Expression Editor allows you to use a rule expression to test a string of text for particular patterns. A syslog monitor can include data such as the event name, the IP address that the event came from, date of the event, etc. After creating an expression, click OK to insert that string into the list under Match On.
  • Edit. Click to edit a selected syslog match.
  • Remove. Click to remove a selected syslog match.