3 Replies Latest reply: Apr 27, 2012 3:35 PM by rand000 RSS

Sending syslog/events from Bit9 parity to Solarwinds LEM

rand000

Has anyone had success doing this? We are having a hard time making this work.

 
  • Re: Sending syslog/events from Bit9 parity to Solarwinds LEM
    nicole pauls

    We'll create a KB for this one once we've been able to confirm the instructions. Basically, you'll need to configure the Bit9 Parity system to syslog, then configure the Bit9 Parity syslog connector on the LEM appliance (or syslog server agent node).

     

    To configure bit9 to syslog (you should enter the LEM appliance or syslog server's IP under "IP address" and the default port of 514 should be correct):

    Forwarding events to syslog is done through the Server Status view on the System Configuration page. This page displays information about the Parity Server and allows edition of several parameters. To configure syslog, click Edit at the bottom of the page and tick the "Syslog enabled" check box and enter the IP address next to "Syslog address". verify that the "Syslog port" entry is correct and click "Update".

    After doing that, go to Manage > Appliances (assuming you're syslogging to the LEM appliance directly), click the gear and choose "Tools", then navigate to the "Data Loss Prevention" section, click the Gear next to "Bit9 Parity v5+ Syslog" and choose "New". You should be able to just hit save (unless you need/want to change the name) and then click Gear > Start to start the monitoring.

     

    It's of course possible that Bit9 has changed things since our initial integration, so if you run into problems, let us know.

     

    You might be the same person that contacted support for help. If so, and they do solve your problem, post back here and let us know how.

    • Re: Sending syslog/events from Bit9 parity to Solarwinds LEM
      rand000

      I'm still working with Solarwinds support to resolve this issue.  We are getting syslog from Bit9 Parity to LEM, and we can see the syslog in the LEM command line "checklogs" under consolidated syslog, but we are not seeing the data in the LEM console.  Erica has been very helpful, and he is escalating this issue.  I'll post the resolution here once we have it.

       

      Regards,

      Randy

      • Re: Sending syslog/events from Bit9 parity to Solarwinds LEM
        rand000

        I fixed the issue.  When sending syslog from Bit9 Parity to Solarwinds LEM the syslog format on parity needs to be set to "Basic (RFC3164)", and on LEM the Parity Tool needs to have the log file pointed at /var/log/user.log.  The syslog from bit9 parity does not go to any of the local syslog files on LEM, but it goes to the user.log file. 

         

        Regards,

        Randy