Sending logs to a Syslog Server
In addition to extensive logging capabilities in Xeams, you can send essential logs and alerts to any Security Information and Event Management (SIEM) server that supports syslog. This syslog server can be running on-premise or on the cloud.
Configuring Syslog Server in Xeams
Prerequisite: This feature is only available in the Enterprise Edition with at least 20 users.
Use the following steps to configure Xeams:
- Click Server Configuration
- Select the tab for Syslog
- Select the fields on the page related to your Syslog server.
RFC 3164 verses 5424
Syslog servers are based on one of two RFCs
- 3164 - Original standards
- 5424 - Latest standards, which also support SSL
Both standards support UDP and TCP, but SSL is only supported for 5424. If your server supports it, you should use the newer standard.
Supported Events
Xeams logs several events. Some are turned on by default, while others can be turned on by administrators. The message for every event starts with a five-character code representing the event. Additionally, the MSGID field also uniquely identifies the event. The following table lists every event Xeams logs.
| Event Code | MSGID | Severity | Description |
|---|---|---|---|
| START | ID01 | Informational | Logged when Xeams is started |
| STOPD | ID02 | Informational | Logged when Xeams is stopped |
| LOGIN | ID03 | Informational | When a user logs in. The message will also contain the source, such as HTTP, SMTP, POP3 or IMAP |
| INPWD | ID04 | Warning | Logged when an incorrect password is entered for authentication. |
| LGOUT | ID05 | Informational | When a user logs out |
| UBLCK | ID12 | Critical | When an IP address is blocked because of too many incorrect logins or a malicious attack is detected. |
| UUNBK | ID13 | Informational | When a previously blocked IP is no longer blocked |
| UCRET | ID14 | Informational | When a new user is created |
| ERSVD | ID19 | Informational | When email is received by the SMTP server. This is an optional event. |
| ESENT | ID20 | Informational | When email is sent out by the SMTP server. This is an optional event. |
| EFAIL | ID21 | Warning | When email could not be sent. This is not a permanent failure. |
| EDNDR | ID22 | Warning | When an email is deleted for non-delivery. NDR is generated. |
| ENNDR | ID23 | Warning | When an email is deleted for non-delivery. NDR is not generated. |
| EQUED | ID24 | Informational | Email is queued and will be delivered later on. |
| NOMEM | ID32 | Alert | When used memory goes past 90% of total available memory |
| NODSK | ID33 | Alert | When free disk space is running low. |
| FORGD | ID34 | Warning | When an outbound email is sent from a foreign domain that can be considered a forged message. |
| QFILD | ID35 | Warning | When too many messages are waiting to be delivered in the outbound queue. |