Environment
NetIQ Change Guardian 4.1
NetIQ Change Guardian 4.1.1
NetIQ Change Guardian 4.1.1.1
NetIQ Change Guardian 4.1.1.2
NetIQ Change Guardian 4.1.1
NetIQ Change Guardian 4.1.1.1
NetIQ Change Guardian 4.1.1.2
Situation
Send events to Arcsite
Send events to a third party SIEM
Forward events to another product.
How to setup syslog forwarding
Resolution
To create an event destination for syslog follow the instructions below.
1.) Login to the Policy Editor and select settings.
2.) In the Event Destination Configuration Window that pops up select the Add button.
3.) In the New Event Destination Window you will need to enter the connection configuration information.
A.) NAME: specify a unique name for the event destination.B.) MODEL: Specify Syslog Dispatcher for third Party SIEM if you wish to send events directly into Sentinel specify Rest Dispatcher.C.) DESCRIPTION: Specify a description of the Event Destination.D.) HOST: Specify the target host that will accept the syslog communication or SIEM events.E.) PORT: Enter the port that the target host is setup to listen for syslog communication.F.) USER: Input the user that exists on the target host that allows access to send syslog information to the target host.G.) PASSWORD: Specify the password for the user given in the previous field.H.) CONNECTION USAGE: Check the box for Destination used by CG Server to forward events matching the following event filter if you wish to filter the data being forwarded. A filter must be specified in the blank field below the check box.
4.) Save any changes made to the new Syslog Event Destination and events should now begin processing the target host.
Cause
Syslog forwarding allows events that are generated by NetIQ Change Guardian to be sent directly to a third party Security Information and Event Management system.