During syslog configuration, you can opt to send Console events, Device events, or both. Any events generated by the Workspace ONE UEM console are sent to your SIEM tool according to the scheduler settings. Syslog can be configured for both on-premises and SaaS deployments.

Note:

For SaaS customers, ACC is highly recommend for Syslog integration even if Syslog is publicly accessible.

Procedure

  1. Navigate to Monitor > Reports & Analytics > Events > Syslog.
  2. If necessary, set the Syslog Integration to Enabled to display the settings table.
  3. On the General tab, configure the following syslog settings,

    Setting

    Description

    Syslog Integration

    Enable or disable syslog integration.

    Host Name

    Enter the URL for the SIEM tool in the Host Name text box.

    Protocol

    Select the required protocol from available options (UDP, TCP, or Secure TCP) to send the data. It is to be noted that support for TLS v1.1 is provided.

    Port

    Enter the port number to communicate with the SIEM tool in the Port text box.

    Syslog Facility

    Select the facility level for the feature from the Syslog Facility menu. The syslog protocol defines the syslog facility.

    The widespread use and manipulation of the syslog protocol can clutter the meaning of the syslog facility. However, it can roughly suggest from what part of a system a message originated and it can help distinguish different classes of messages. Some administrators use the syslog facility in rules to route parts of messages to different log files.

    Message Tag

    Enter a descriptive tag to identify events from the Workspace ONE UEM console in the Message Tag text box. For example, "AirWatch".

    Message Content

    Enter the data to include in the transmission in the Message Content text box. This is how the message data gets formatted when sent using syslog to your SIEM tool. Use lookup values to set the content. For secure TCP, New line (CRLF) formatting using Enter, \n, \r does not work and gets automatically converted to tab, \t for secure TCP.

  4. On the Advanced tab, configure the following settings.

    Setting

    Description

    Console Events

    Select whether to enable or disable the reporting of Console events.

    Select Console Events to Send to Syslog

    Visible if you enable Console Events. For each sub-heading, select the specific events that you want to trigger a message to syslog.

    Use Select All or Clear All to select or unselect all the events all at once. To select or unselect specific events, enable or disable the checkboxes.

    Note:

    On enabling the Console Events, by default, all events under all categories of console events are selected.

    Device Events

    Select whether to enable or disable the reporting of Device events.

    Select Device Events to Send to Syslog

    Visible if you enable Device Events. For each sub-heading, select the specific events that you want to trigger a message to syslog.

    Use Select All or Clear All to select or unselect all the events all at once. To select or unselect specific events, enable or disable the checkboxes.

    Note:

    On enabling the Device Events, by default, all events under all categories of device events are selected.

  5. Select Save and use the Test Connection button to ensure successful communication between the Workspace ONE UEM console and the SIEM tool.