Define monitoring rules on a Log Server

Configure the rules that send monitoring data to a Log Server.

For more details about the product and how to configure features, click Help or press F1.

Steps

Select Dashboard > Servers / Devices.
Browse to Log Server.
Right-click the Log Server to which you want to send monitoring data, then select Properties.
Switch to the Monitoring tab.
To create a rule, click Add.
Configure the monitoring rules.
To remove a rule, select the rule, then click Remove.
Click OK.

Log Server Properties dialog box

Use this dialog box to define Log Server properties.

Option	Definition
General tab
Name	The name of the element.
Installation ID	Shows the unique installation identifier (UIID) for the SMC.
IPv4 Address	Specifies the IPv4 address or FQDN of the server. The server can have both an IPv4 and an IPv6 address.
IPv6 Address	Specifies the IPv6 address of the server. The server can have both an IPv4 and an IPv6 address.
Resolve	Automatically resolves the IP address of the server.
Location (Optional)	Specifies the location to which the server belongs if there is a NAT device between the server and other SMC components.
Contact Addresses section (All optional settings)
Default	Used by default when a component that belongs to another Location connects to this server.
Exceptions	Allows you to define exceptions to the default contact address. Opens the Exceptions dialog box.
Port (Optional)	Enter the Log Server's TCP Port Number. We recommend that you always use the default port 3020 if possible.
Log Storage Full	Specifies the action when the log storage on the Log Server is full. Stop Receiving — The Log Server stops receiving log entries. Overwrite Oldest — The Log Server overwrites log entries, starting with the oldest log entries.
Category (Optional)	Includes the element in predefined categories. Click Select to select a category.
Tools Profile	Adds commands to the right-click menu for the element. Click Select to select an element.
Comment (Optional)	A comment for your own reference.
Exclude from Log Browsing, Statistics and Reporting (Optional)	Select this option if you do not want the Log Server to gather statistical information for monitoring and you do not want its logging data to be included in Reports. In most situations, it is better to leave this option deselected.

Option	Definition
High Availability tab
Secondary Log Servers	Shows the secondary Log Servers. Click Add to add an element to the list, or Remove to remove the selected element.

Option	Definition
Elasticsearch tab The Elasticsearch tab is only visible after you have created an Elasticsearch Cluster element. Important: Forwarding log data to an Elasticsearch cluster is an advanced feature that requires knowledge of how to configure Elasticsearch. You must already have an Elasticsearch cluster deployed and configured in your environment.
Elasticsearch Cluster	Shows the Elasticsearch cluster that receives log data from the SMC server.
Client Authentication Settings	Defines how the connection between the server and the Elasticsearch cluster is secured. Inherited — The SMC server uses the settings defined in the Elasticsearch Cluster element. Override — The SMC server uses custom settings.
TLS Certificate	(When Override is selected.) Specifies the TLS certificate that is used to secure the connection between the SMC server and the Elasticsearch cluster. Use Internal Certificate — The SMC server uses its own internal certificate. Use Imported Certificate — The SMC server uses the specified external certificate. No Client Authentication — The connection is not authenticated.

Option	Definition
Monitoring tab
Log Server	The Log Server that monitors the status of the element.
Status Monitoring	When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Home view.
Probing Profile	Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception	Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile	Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone	Selects the time zone for the logs.
Encoding	Selects the character set for log files.
SNMP Trap Reception	Enables the reception of SNMP traps from the third-party device.
NetFlow Reception	Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).

Option	Definition
Audit Forwarding or Log Forwarding tab Click Add to add a row to the table, or Remove to remove the selected row.
Target Host	The Host element that represents the target host to which data is forwarded. Double-click to open the Select Host dialog box.
Service	Click the cell, then select the network protocol for forwarding data from the drop-down list. The following network protocol options are supported: TCP UDP TCP with TLS Kafka Kafka with TLS Note: For log data in IPFIX or NetFlow v9 format, UDP is the only available network protocol. You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Service you select is also used as the Service in the Access rule.
Port	The Port that is used for forwarding data. Double-click to edit the cell. The default port is 2055. For log data, the default port used by IPFIX/NetFlow data collectors is 2055. Note: You might have to define an Access rule that allows traffic to the target host. In this case, make sure that the Port you select is also used as the Port in the Access rule.
Format	Click the cell, then select the data forwarding format from the drop-down list. CSV — Forwards in comma separated value format. Short CSV — Forwards truncated data in comma separated value format. (Log Server only) XML — Forwards in XML format. JSON — Forwards log data in JSON format. CEF — Forwards in common event format. LEEF — Forwards in log extended event format. NetFlow v9 — Forwards in a format that is compatible with NetFlow v9. (Log Server only) IPFIX — Forwards in a format that is compatible with IPFIX. (Log Server only) McAfee ESM — Forwards in a format that is compatible with McAfee ESM. Note: You can customize the interval by which the NetFlow template is sent. This is done by modifying the parameter `NETFLOW_TEMPLATE_INTERVAL_SECONDS=<seconds>` in the SMC Log Server configuration file. The default interval is 300 seconds.
Data Type	Click the cell, then select the applicable data type option from the drop-down list. The log data for the selected data type only is forwarded to the target host.
Filter (Optional)	An optional local filter that defines which data is forwarded. The local filter is only applied to the data that matches the Audit Forwarding or Log Forwarding rule. Double-click to open the Local Filter Properties dialog box.
TLS Profile	Allows you to select a TLS Profile element that contains settings for cryptography, trusted certificate authorities, and the TLS version used in TLS-protected traffic. Double-click to open the Select Element dialog box. The TLS Profile is only available if you have selected TCP with TLS as the Service.
TLS Server Identity (Optional)	(When a TLS Profile is selected) Select the identity of a TLS server to secure the TLS-protected traffic from the Management Server or Log Server to an external syslog server. Double-click to open the TLS Server Identity dialog box.
TLS Certificate Used for Forwarding Logs	Select the certificate for TLS-protected data forwarding. Use Internal Certificate — A Management Server or Log Server certificate (signed by the Internal CA) is used for TLS-protected syslog communication. Use Imported Certificate — A certificate signed by an external CA is used. Click Select to select a certificate or to create a TLS Credentials element. No Client Authentication — The Management Server or Log Server certificate is not authenticated.
Kafka Topic	Double-click the cell to specify a name for the kafka topic. Kafka topics are log groups that hold messages and events in a logical order, which in turn allow users to send and receive data between kafka servers with ease.

Option	Definition
NAT tab (All optional settings)
Engine	Shows the selected engine.
NAT Type	Shows the NAT translation type: Static or Dynamic.
Private IP Address	Shows the Private IP Address.
Public IP Address	Shows the defined Public IP Address.
Port Filter	Shows the selected Port Filters.
Comment	An optional comment for your own reference.
Add NAT Definition	Opens the NAT Definition Properties dialog box.
Edit NAT Definition	Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition	Removes the selected NAT definition from the list.

Option	Definition
Certificate tab (All optional settings)
Current Certificate	Shows information about the current certificate of the server. Click Export Certificate to export the current certificate. Click Renew Certificate to renew the certificate.
Check Revocation	Checks against certificate revocation lists (CRLs) whether the certificate has been revoked. The certificate must be signed by a valid certificate authority.
Ignore Revocation Check Failures if There Are Connectivity Problems	When selected, the server ignores all CRL check failures if connectivity problems are detected.
Organization (O) (Optional)	The name of your organization as it appears in the certificate.
Organization Unit (OU) (Optional)	The name of your department or division as it appears in the certificate.
Country (C) (Optional)	Standard two-character country code for the country of your organization.
State/Province (ST) (Optional)	The name of state or province as it appears in the certificate.
Locality (L) (Optional)	The name of the city as it appears in the certificate.
Common Name (CN)	The value for the Common Name field in the certificate request. For server certificates, the value is typically the fully qualified domain name (FQDN).
Public Key Algorithm	The algorithm used for the public key.
Key Length	The length of the key in bits.
Serial Number	The sequence number of the certificate. The number is issued by the CA.
Signature Algorithm	The signature algorithm that was used to sign the certificate.
Certificate Request	Shows the certificate request as text. You can copy and paste the certificate request into an external application to sign the certificate.
Export Certificate Request	Exports the certificate request so that you can sign it using an external certificate authority.
Import Signed Certificate	Imports a certificate that has been signed using an external certificate authority.