Configure Syslog Hosts

To meet requirements for persistent log storage and integration with Security Event and Incident Management (SEIM) systems, it is important to configure a Syslog connection to a log collector.

Using the System Configuration > Logging Options > Syslog Options menu, enter an IP address, or addresses, and select the severity level. The Syslog server receiving port and protocol for communication (UDP, TCP, TLS) can optionally be configured.

When the TLS protocol is selected, the LoadMaster can use OCSP to check the validity of the server certificates supplied by configured Syslog servers. If these checks fail, connections to the server are not permitted.

Six different error message levels are defined, and each message level may be sent to a different server. Notice messages are sent for information only; Emergency messages normally require immediate user action.

Note: Up to ten individual IP addresses can be specified for each of the Syslog fields. The IP addresses must be differentiated using a space-separated list.

Examples of the type of message that you may see after setting up a Syslog server are below:

  • Emergency: Kernel-critical error messages

  • Critical: Unit one has failed and unit two is taking over as master (in a High Availability (HA) setup)

  • Error: Authentication failure for root from 192.168.1.1

  • Warn: Interface is up/down

  • Notice: Time has been synced

  • Info: Local advertised ethernet address

To enable a Syslog process on a remote Linux server to receive Syslog messages from the LoadMaster, the Syslog must be started with the "-r" flag.

Server Certificate Validation

This check box only appears when TLS is selected as the Remote Syslog Protocol.

When Server Certificate Validation is enabled, it ensures that the host name or IP address that was used to initiate the secure connection resides in the Certificate Subject or Subject Alternative Names (SAN) of the certificate.

Server Certificate Validation is disabled by default.