Unfortunately there is no option for 2 syslog hosts on that GUI page under the admin section.
You have a few options but this would be mostly out of scope from Imperva Support perspective:
- Have syslog server forward logs to the syslog server
- Send the logs to the MX itself (127.0.0.1:514) and add a custom rsyslog config file to /etc/rsyslog.d/000-securesphere_audit.conf with contents:
#UDP forward example
local3.info @SYSLOG_HOST_1
local3.info @SYSLOG_HOST_2
# TCP FORWARD example
# local4.info @@SYSLOG_HOST_1
& stop
Make sure that you
don't use the default
local0 facility that way you dont end up forwarding non-securesphere audit logs to syslog server.
Restart the rsyslog server with
systemctl restart rsyslogNote: This may likely not survive an upgrade and you may have to re-set it up, so I recommend adding it to your post upgrade checks
------------------------------
Sarvesh Lad
Tech Lead @ On-Prem Managed Services (WAF, DAM, DRA & Sonar)
------------------------------
Original Message:
Sent: 11-11-2022 07:43
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?
The "Action Sets" need to define the system events type policy in "Policies > System Events".
This is cumbersome when I need to send all types of system events.
The "SecureSphere Audit" can directly send all system events without defining the system event types.
------------------------------
Wenlong Wang
Technical Director
Beijing China
Original Message:
Sent: 11-11-2022 06:08
From: Mark Barros
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?
Hi Wenlong,
You can add a second syslog destination by adding a second action interface. Here is an example:
------------------------------
Mark Barros
Product Support Engineer - On Prem
Tel Aviv CA
Original Message:
Sent: 11-11-2022 02:34
From: Wenlong Wang
Subject: Can I set two 'Syslog Host' in the setting 'SecureSphere Audit'?
https://docs.imperva.com/bundle/v13.6-administration-guide/page/65606.htm
I want to send all system events to two syslog host. How to set it ?
#DatabaseActivityMonitoring
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Wenlong Wang
Technical Director
Beijing China
------------------------------