During syslog configuration, you can opt to send Console events, Device events, or both. Any events generated by the AirWatch Console are sent to your SIEM tool according to the scheduler settings. Syslog can be configured for both on-premises and SaaS deployments.

To configure syslog:

  1. Navigate to Hub > Reports & Analytics > Events > Syslog.
  2. On the General tab, configure the following syslog settings:

    Setting Description
    Syslog Integration Enable or disable syslog integration.
    Host Name Enter the URL for the SIEM tool in the Host Name field.
    Protocol Select the required protocol from available options to send the data . It is to be noted that support for TLS v1.1 is provided.
    Port Enter the port number to communicate with the SIEM tool in the Port field.
    Syslog Facility

    Select the facility level for the feature from the Syslog Facility menu. The syslog protocol defines the syslog facility.

    The widespread use and manipulation of the syslog protocol can clutter the meaning of the syslog facility. However, it can roughly suggest from what part of a system a message originated and it can help distinguish different classes of messages. Some administrators use the syslog facility in rules to route parts of messages to different log files.

    Message Tag Enter a descriptive tag to identify events from the AirWatch Console in the Message Tag field. For example, "AirWatch".
    Message Content

    Enter the data to include in the transmission in the Message Content field. This is how the message data gets formatted when sent using syslog to your SIEM tool. Use lookup values to set the content. In case of Secure TCP, New line (CRLF) formatting using Enter, \n, \r does not work and gets automatically converted to tab, \t for secure TCP.

  3. On the Advanced tab, configure the following settings:

    Setting Description
    Console Events Select whether to enable or disable the reporting of Console events.
    Select Console Events to Send to Syslog

    Visible if you enable Console Events. For each sub-heading, select the specific events that you want to trigger a message to syslog.

    Use Select All or Clear All to select or unselect all the events all at once. To select or unselect specific events, enable or disable the checkboxes.

    Note:

    On enabling the Console Events, by default, all events under all categories of console events are selected.

    Device Events Select whether to enable or disable the reporting of Device events.
    Select Device Events to Send to Syslog

    Visible if you enable Device Events. For each sub-heading, select the specific events that you want to trigger a message to syslog.

    Use Select All or Clear All to select or unselect all the events all at once. To select or unselect specific events, enable or disable the checkboxes.

    Note:

    On enabling the Device Events, by default, all events under all categories of device events are selected.

  4. Select Save and use the Test Connection button to ensure successful communication between the AirWatch Console and the SIEM tool.