In an Enterprise network, SASE Orchestrator supports collection of SASE Orchestrator bound events and firewall logs originating from enterprise SD-WAN Edge to one or more centralized remote syslog collectors (Servers), in native syslog format. At the Edge level, you can override the syslog settings specified in the Profile by selecting the Enable Edge Override checkbox.
- Ensure that Cloud VPN (branch-to-branch VPN settings) is configured for the SD-WAN Edge (from where the SASE Orchestrator bound events are originating) to establish a path between the SD-WAN Edge and the Syslog collectors. For more information, see Configure Cloud VPN for Profiles.
- In the SD-WAN Service of the Enterprise portal, go to Configure > Edges. The Edges page displays the existing Edges.
- Click the link to an Edge or click the View link in the Device column of the Edge that you want to override.
The configuration options for the selected Edge are displayed in the Device tab.
- From the Segment drop-down menu, select a profile segment to configure syslog settings. By default, Global Segment is selected.
- Scroll down to the Telemetry category and go to the Syslog area and select the Override check box.
- From the Source Interface drop-down menu, select one of the Edge interface configured in the segment as the source interface.
When the Edge transmits the traffic, the packet header will have the IP address of the selected source interface, whereas the packets can be sent through any interface based on the destination route.
- Override the other syslog settings specified in the Profile associated with the Edge by following the Step 4 in Configure Syslog Settings for Profiles.
- Click the + ADD button to add another Syslog collector or else click Save Changes. The syslog settings for the edge will be overridden.
Note: You can configure a maximum of two Syslog collectors per segment and 10 Syslog collectors per Edge. When the number of configured collectors reaches the maximum allowable limit, the + button will be deactivated.Note: Based on the selected role, the edge exports the corresponding logs in the specified severity level to the remote syslog collector. If you want the SASE Orchestrator auto-generated local events to be received at the Syslog collector, you must configure Syslog at the SASE Orchestrator level by using the
log.syslog.uploadsystem properties.To understand the format of a Syslog message for Firewall logs, see Syslog Message Format for Firewall Logs.
What to do next
For more information about Firewall settings at the Edge level, see Configure Edge Firewall.