During syslog configuration, you can opt to send console events, device events, or both. Any events generated by the Workspace ONE UEM console are sent to your SIEM tool in real time. Syslog can be configured for both on-premises and SaaS deployments.

Note:

For SaaS customers, ACC is highly recommend for Syslog integration even if Syslog is publicly accessible.

Procedure

  1. Navigate to Monitor > Reports & Analytics > Events > Syslog.
  2. If necessary, set the Syslog Integration to Enabled to display the settings table.
  3. On the General tab, configure the following syslog settings,

    Setting

    Description

    Syslog Integration

    Enable or deactivate syslog integration.

    Host Name

    Enter the URL for the SIEM tool in the Host Name text box.

    Protocol

    Select the required protocol from available options (UDP, TCP, or Secure TCP) to send the data. We support TLS v1.0, TLS v 1.1, and TLS v1.3.

    Port

    Enter the port number to communicate with the SIEM tool in the Port text box.
    Syslog Format Select the format for your Syslog formatting. The selections are Workspace ONE UEM Legacy Syslog Format, RFC-3164 Format, or RFC-5424 Format.

    Syslog Facility

    Select the facility level for the feature from the Syslog Facility menu. The syslog protocol defines the syslog facility.

    The widespread use and manipulation of the syslog protocol can clutter the meaning of the syslog facility. However, it can roughly suggest from what part of a system a message originated and it can help distinguish different classes of messages. Some administrators use the syslog facility in rules when routing parts of messages to different log files.

    Message Tag

    Enter a descriptive tag to identify events from the Workspace ONE UEM console in the Message Tag text box. For example, "AirWatch".

    Message Content

    Enter the data to include in the transmission in the Message Content text box. This is how the message data gets formatted when sent using syslog to your SIEM tool. To set the content, use lookup values. For secure TCP, New line (CRLF) formatting using Enter, \n, \r does not work and gets automatically converted to tab, \t for secure TCP.
  4. On the Advanced tab, configure the following settings.

    Setting

    Description

    Console Events

    Select whether to enable or deactivate the reporting of Console events.

    Select Console Events to Send to Syslog

    Visible if you enable Console Events. For each subheading, select the specific events that you want to trigger a message to syslog.

    To select or unselect all the events all at once, use Select All or Clear All. To select or unselect specific events, enable or deactivate the check boxes.

    Note:

    On enabling the Console Events, by default, all events under all categories of console events are selected.

    Device Events

    Select whether to enable or deactivate the reporting of Device events.

    Select Device Events to Send to Syslog

    Visible if you enable Device Events. For each subheading, select the specific events that you want to trigger a message to syslog.

    Use Select All or Clear All to select or unselect all the events all at once. To select or unselect specific events, enable or deactivate the check boxes.

    Note:

    On enabling the Device Events, by default, all events under all categories of device events are selected.
  5. Select Save and use the Test Connection button to ensure successful communication between the Workspace ONE UEM console and the SIEM tool.
  6. After you have verified the log captures, revert the Verbose Logging Configuration.