To enable the export of events in Technical Support Mode, you must first upload the public SSH key in the application web interface.
You can save files containing exported events locally on the server, and configure their publication to an external SIEM system. If you do not need to save files locally, you can skip steps 4–7 of the instructions in this section.
Perform the instructions below on each cluster node whose events you want to export in CEF format.
To configure export of events in CEF format:
You will enter Technical Support Mode.
facility
parameter in the siemSettings
section:Auth
Authpriv
Cron
Daemon
Ftp
Lpr
Mail
News
Syslog
User
Uucp
Local0
Local1
Local2
Local3
Local4
Local5
Local6
Local7
It is recommended to specify a category (facility) for Syslog that is not used by other programs on the server.
The default value is local2
.
enabled
parameter value to true
.logLevel
parameter:Error
– export events related to errors.Info
– export all events.Example:
|
*.info;mail.none;authpriv.none;cron.none;local0.none;local1.none /var/log/messages
to
*.info;mail.none;authpriv.none;cron.none;local0.none;local1.none;<facility selected at step 2>.none /var/log/messages
<facility selected at step 2>.* -/var/log/ksmg-cef-messages
touch /var/log/ksmg-cef-messages
chown root:klusers /var/log/ksmg-cef-messages
chmod 640 /var/log/ksmg-cef-messages
/var/log/ksmg-cef-messages
{
size 500M
rotate 10
notifempty
sharedscripts
postrotate
/usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
endscript
}
service rsyslog restart
This is necessary for synchronization of parameters among cluster nodes and for applying changes that were made to the configuration file. Then you can restore the original value of a modified parameter.
Export of events in CEF format is now configured.
Page top