As an admin, you can configure integration with a SIEM tool that leverages the syslog protocol to record system events.
What can you do with the System Log Settings Page?
The path to the settings page on the UEM console is
.Security Information and Event Management (SIEM) technology gathers information about security alerts generated by network hardware and software components. It centralizes this data and generates reports to help you monitor activity, perform log audits, and respond to incidents. Workspace ONE UEM integrates with your SIEM tools by sending event logs using Syslog.
Determine your Organization group hierarchy
- Current Setting - Select whether to Inherit or Override the displayed settings. Inherit means use the settings of the current organization group's parent OG, while Override enables the settings for editing so you can modify the current OG's settings directly.
General Tab
Setting | Description |
---|---|
Syslog Integration | Enable or deactivate syslog integration. |
Host Name | Enter the URL for the SIEM tool in the Host Name text box. |
Protocol | Select the required protocol from available options to send the data. It is to be noted that support for TLS v1.1 is provided. |
Port | Enter the port number to communicate with the SIEM tool in the Port text box. |
Syslog Facility | Select the facility level for the feature from the Syslog Facility menu. The syslog protocol defines the syslog facility. The widespread use and manipulation of the syslog protocol can clutter the meaning of the syslog facility. However, it can roughly suggest from what part of a system a message originated and it can help distinguish different classes of messages. Some administrators use the syslog facility in rules to route parts of messages to different log files. |
Message Tag | Enter a descriptive tag to identify events from the Workspace ONE UEM console in the Message Tag text box. For example, "AirWatch". |
Message Content | Enter the data to include in the transmission in the Message Content text box. This is how the message data gets formatted when sent using syslog to your SIEM tool. Use lookup values to set the content. For secure TCP, New line (CRLF) formatting using Enter, \n, \r does not work and gets automatically converted to tab, \t for secure TCP. |
Advanced Tab
Setting | Description |
---|---|
Console Events | Select whether to enable or deactivate the reporting of Console events. |
Select Console Events to Send to Syslog | Visible if you enable Console Events. For each sub-heading, select the specific events that you want to trigger a message to syslog. Use Select All or Clear All to select or unselect all the events all at once. To select or unselect specific events, enable or deactivate the checkboxes.
Note: On enabling the
Console Events, by default, all events under all categories of console events are selected.
|
Device Events | Select whether to enable or deactivate the reporting of Device events. |
Select Device Events to Send to Syslog | Visible if you enable Device Events. For each sub-heading, select the specific events that you want to trigger a message to syslog. Use Select All or Clear All to select or unselect all the events all at once. To select or unselect specific events, enable or deactivate the checkboxes.
Note: On enabling the
Device Events, by default, all events under all categories of device events are selected.
|
- Test Connection – Use the Test Connection button to ensure successful communication between the Workspace ONE UEM console and the SIEM tool.
- Child Permission – Select the available behavior of child organization groups that exist below the currently selected organization group. Inherit only means child OGs are only allowed to inherit these settings. Override only means they override the settings, and Inherit or Override means you can choose to inherit or override settings in child OGs that exist below the currently selected OG.