Like most Linux-based systems, NG Firewall supports remote syslog. This feature allows you to export system data to another system for analysis.
NG Firewall uses rsyslog for this function.
NOTE: All images can be clicked to view the full-sized version for additional detail. The full-size image will load in a new browser tab.
Enable Remote Syslog
- Go to Config > Events > Syslog.
- Enable the "Enable Remote Syslog" option.
- Configure the Syslog connection:
- Enter the IP Address or URL for your syslog server
- If you are not using the default port (UDP 514) set what you are using
- (Optional and not recommended at this point) Click Save in the lower right to apply the configuration.
Create a Syslog Rule
The default rule that is included when you first enable Syslog sends all data in all classes to the remote server. On most devices this will cause performance issues and may even make the system unstable and/or crash. Because of this we recommend disabling or deleting the default rule and creating a rule that sends only the data that you want/need to your remote server.
- Click the Add button. You should get a window similar to the one shown below.
- Enter a description for the rule and then click the drop down menu for Class.
- You can further limit the data sent by adding fields via the Add Field button and selecting the field you want to filter by:
- You can also can set a threshold on the rule so it only triggers after a certain number of matching events occur:
- Click Done in the bottom-right corner of the window and then click Save in the main window to apply your new rule.
For more information regarding what each of the classes used by Syslog contains, and how to use the fields to properly filter the data being sent, please refer to our Wiki page Event Definitions.