I have a requirement to forward certain rules to a remote system via
SYSLOG. When I use routing rules, it says forward via syslog to "local
host on port 514". Is there a way to add a remote host and different
port (may be TCP)?

I tried Action and if I add a new Action, it still does not ask me for a
remote host name/IP!

Second question is that I need to forward all "Correlated Events" and
associated "Trigger events" to a remote system. I can search for all
correlated events by using filter "st:C" however, is there a way to
search for all "Trigger Events" regardless of their associated
correlated events?

For example if there are more than 3 failed logins (unique user name) in
15 min, trigger correlated event. There can be hundreds of failed
logins but is there a way to search only those 5 or more failed logins
that constituted this particular alert?


pimpalp's Profile: https://forums.netiq.com/member.php?userid=5587
View this thread: https://forums.netiq.com/showthread.php?t=51446