In an Enterprise network, SD-WAN Orchestrator supports collection of SD-WAN Orchestrator bound events and firewall logs originating from enterprise SD-WAN Edge to one or more centralized remote syslog collectors (Servers), in native syslog format. At the Edge level, you can override the syslog settings specified in the Profile by selecting the Enable Edge Override checkbox.

To override the Syslog settings at the Edge level, perform the following steps.

Prerequisites

  • Ensure that Cloud VPN (branch-to-branch VPN settings) is configured for the SD-WAN Edge (from where the SD-WAN Orchestrator bound events are originating) to establish a path between the SD-WAN Edge and the Syslog collectors. For more information, see Configure Cloud VPN for Profiles.

Procedure

  1. From the SD-WAN Orchestrator, go to Configure > Edges.
    The SD-WAN Edge page appears.
  2. Select an Edge you want to override Syslog settings and click the icon under the Device column.
    The Device Settings page for the selected Edge appears.
  3. From the Configure Segment drop-down menu, select a profile segment to configure syslog settings. By default, Global Segment [Regular] is selected.
  4. Go to the Syslog Settings area and select the Enable Edge Override checkbox.
  5. From the Source Interface drop-down list, select one of the Edge interface configured in the segment as the source interface.
    Note:

    When the Edge transmits the traffic, the packet header will have the IP address of the selected source interface, whereas the packets can be sent through any interface based on the destination route.

  6. Override the other syslog settings specified in the Profile associated with the Edge by following the Step 4 in Configure Syslog Settings for Profiles.
  7. Click the + button to add another Syslog collector or else click Save Changes. The syslog settings for the edge will be overridden.
    Note: You can configure a maximum of two Syslog collectors per segment and 10 Syslog collectors per Edge. When the number of configured collectors reaches the maximum allowable limit, the + button will be deactivated.
    Note: Based on the selected role, the edge exports the corresponding logs in the specified severity level to the remote syslog collector. If you want the SD-WAN Orchestrator auto-generated local events to be received at the Syslog collector, you must configure Syslog at the SD-WAN Orchestrator level by using the log.syslog.backend and log.syslog.upload system properties.
    To understand the format of a Syslog message for Firewall logs, see Syslog Message Format for Firewall Logs.

What to do next

On the Firewall page of the Edge configuration, enable the Syslog Forwarding button if you want to forward firewall logs originating from enterprise SD-WAN Edge to configured Syslog collectors.
Note: By default, the Syslog Forwarding button is available on the Firewall page of the Profile or Edge configuration, and is deactivated.

For more information about Firewall settings at the Edge level, see Configure Firewall for Edges.