Adding or Modifying Log Sources

You can add or modify log sources from the Management > Devices > Devices tab.

  • To add a new syslog log source, click the Add Device icon .
  • To modify an existing syslog log source, click an existing syslog log source name from the list.

Perform the following steps to add or modify a log source profile.

Procedure

  1. Type the name of the log source. The length of the log source name should not exceed 63 characters.
  2. Type a description of the log source.
  3. From the Device Type list, select the type of log source you are adding. This cannot be changed after adding the device profile.
    Note:
    • The File Transfer Rule tab displays only if you select a device type that supports file transfer rules. Otherwise, the tab does not display.
    • Selecting the LogLogic Database Security Manager device type causes the appliance to hang, because the device type is no longer supported. Do not use this device type.
  4. In the Host IP field, enter the IP address of the log source. When logs arrive from the specified device type, the LogLogic appliance uses the IP address of the added device to map the logs against the device instance.
    Note: For log sources such as Amazon S3 or Tibco® Mashery, you must enter a valid IP address because the field is mandatory. The value in this field is used only for indexing purposes and not for connecting to the log source.
  5. In the Collector Domain field, enter an identification name to be used for identifying each message sent from this device. This field can be empty. If defined, it must be an unique name with a maximum of 256 characters. Do not include special characters, for example, \ | / " ? * : %. This field is also case sensitive.
  6. Under Enable Data Collection, select the Yes radio button to accept logs from this log source.
  7. Select Refresh Device Name through the DNS Lookups to have the Name field automatically updated with a name obtained through a reverse DNS lookup at the refresh interval configured in the General tab Refresh Auto-Identified Device Interval field on the Administration > System Settings page. The DNS name overrides any name you assign in the Name field.
  8. In the Polling Interval field, enter the number of minutes between polls to retrieve log data from the Oracle database. The polling interval applies to all Oracle database instances configured for the log source. For example, to poll the Oracle database once every hour, enter 60.
  9. For Blue Coat Proxy SG only:
    • Select the Use SSL check box to use SSL to communicate from the appliance to the Blue Coat machine for file transfer.
    • Select the Use User Authentication check box to authenticate the user name and password for file transfer from the Blue Coat machine to the appliance. The user name and password should match one of the users listed in the User tab.
    • In the SSL Certificate field, copy this automatically-generated certificate to the Blue Coat machine. You cannot use SSL without copying the SSL Certificate to your Blue Coat machine. For example, you must copy this certificate on to your Blue Coat machine to enable encryption while transferring files.
  10. (For Microsoft SQL Server only) Under the MS SQL Server Collector Configuration section, type in the following information:
    Option Description
    Use DBCC TRACEON (optional) Select this check box to use SQL query “DBCC TRACEON (1903)” before collection of log data.
    Use XP Cmd Shell (optional) Select this check box to use xp_cmdshell.
    Authentication Select SQL Authentication or Windows Authentication.
    Domain Name If you have selected Windows Authentication provide the corresponding domain name of the user.
    Database Name Microsoft SQL Server database instance name
    Server Port Port number for Microsoft SQL Server
    UserID User name for the Microsoft SQL Server sysadmin user or Windows Authentication domain user based on the selection of the Authentication type
    Password/Confirm Password Password for the corresponding user authentication type
    Polling Interval Interval in minutes between two instances of data polling
    Rows per Collection Maximum number of rows per collection
    No. of Collections Maximum number of polling intervals per collection run
    Trace Files Path Audit log file name for Microsoft SQL Server. The pathname must be the absolute path to the trace (.trc) file. The LogLogic appliances need to be able to read new trace files that are created after server restart.
    Start Collection From Date Date and time that the LogLogic appliance will begin collecting log data
    Note: You can collect data from trace files at multiple locations, to specify different location use the Add Row button and enter the trace file path and start time.
  11. Click Add or Update to save your changes.