How to create syslog event rules


Like most Linux-based systems, NG Firewall supports remote syslog. This feature allows you to export system data to another system for analysis.

NG Firewall uses rsyslog for this function.


Enable Remote Syslog

  1. Go to Config > Events > Syslog.

  2. Enable the "Enable Remote Syslog" option.

  3. Configure the Syslog connection:
    • Enter the IP Address or URL for your syslog server
    • If you are not using the default port (UDP 514) set what you are using

Create a Syslog Rule

The default rule that is included when you first enable Syslog sends all data in all classes to the remote server. On most devices this will cause performance issues and may even make the system unstable and/or crash. Because of this we recommend disabling or deleting the default rule and creating a rule that sends only the data that you want/need to your remote server.

  1. Click the Add button. You should get a window similar to the one shown below.

  2. Enter a description for the rule and then click the drop down menu for Class.

  3. You can further limit the data sent by adding fields via the Add Field button and selecting the field you want to filter by:
    • Click the Add Field button

    • Select the Field you want to filter by and then fill in the rest of the filter conditions similar to below.

  4. You can also can set a threshold on the rule so it only triggers after a certain number of matching events occur:
    • Enable the "Enable Thresholds" check box.

  5. Click Done in the bottom-right corner of the window and then click Save in the main window to apply your new rule.

More details on syslog classes & events

For more information regarding what each of the classes used by Syslog contains, and how to use the fields to properly filter the data being sent, please refer to our Wiki page Event Definitions.


Was this article helpful?
1 out of 2 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.

Powered by Zendesk