Click here to expand

    Configuring the Syslog Service on a UNIX devices

    Note: Please take a note of the default port numbers used for the different protocols.


    Default port number protocol used

    1. 513 & 514 UDP
    2. 514 TCP
    3. 513 TLS
    • Login as root user and edit the syslog.conf/rsyslog.conf/syslog-ng.conf file in the /etc directory.
    • You can check the logger in the device by executing 'sp -aux | grep syslog' command in the Terminal or Shell.
    • For UDP based log collection, append:
      *.*<space/tab>@<eventloganalyzer_server_name>:<port_no> at the end, where <eventloganalyzer_server_name> is the name of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.
    • For TCP based log collection, append: 

    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no> at the end, where <server_name> is the name of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

    • For TLS based log collection:

    Prerequisites:

    • Enable HTTPS and configure a valid certificate in server.xml. Click here to know how to configure a valid SSL certificate.
    • Only pfx format is supported for storing certificate, if you use keystore format, please convert it to pfx.

    Using self-signed certificates:

    • After applying a self-signed certificate, a file named ca.crt will be created in the location <EventLogAnalyzer_Home>/Certificates.
    • Use this file as the root certificate while configuring log forwarding in clients.

    Using other certificates:

    • For configuring log forwarding, get the root certificate from the certificate vendor. 
    • After checking the prerequisites, append the below comments in the syslog.conf/rsyslog.conf/syslog-ng.conf file in the /etc directory.
    Copy to Clipboard

    $DefaultNetstreamDriverCAFile <CACertificate>

    $ActionSendStreamDriver gtls

    $ActionSendStreamDriverMode 1

    $ActionSendStreamDriverAuthMode x509/name

    $ActionSendStreamDriverPermittedPeer <hostname>

    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>

    Save the configuration and exit the editor.

    Note: If you want to use a different port other than the default ports as specified above, please specify it in the port management settings.

    Restart the syslog service on the device using the command:

    /etc/rc.d/init.d/syslog restart

    Note: To configure the syslog-ng daemon in a Linux device, append the following entries at the end of /etc/syslog-ng/syslog-ng.conf

    For UDP based log collection:

    *.*<space/tab>@<eventloganalyzer_server_name>:<port_no> at the end of the configuration file, where <eventloganalyzer_server_name> is the DNS name or IP address of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

    For TCP based log collection:

    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no> at the end, where <server_name> is the DNS name or IP address of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

    Note: Ensure that EventLog Analyzer server that you provide is reachable from the Syslog device.

    For TLS based log collection:

    destination d_eventloganalyzer { tcp("<hostname>" port(<port>)tls(ca_dir("<CACertificate>") ); }; 

    log { source(src); destination(eventloganalyzer); };

    Note: The above configuration will only enable forwarding of machine logs to the EventLog Analyzer server.

    Forwarding audit logs to the EventLog Analyzer Server

    The below given configurations have to be done in Linux devices under rsyslog.conf (or) syslog.conf :

    1. Under the MODULES section, check whether the "$ModLoad imfile" is included. (This module "imfile" converts any input text file into a syslog message,which can then be forwarded to the EventLog Analyzer Server.)
    2. The following directives contain the details of the external log file:

      $InputFileName <Monitored_File_Absolute_Path>

      $InputFileStateFile <State_Filename>

      $InputFileSeverity <Severity >

      $InputFileFacility <Facility >

      $InputRunFileMonitor

    3. To forward the logs we must provide this line: <Facility>.<Severity> @Host-Ip:Port

    Example:

    $InputFileName /var/log/sample.log

    $InputFileStateFile sample

    $InputFileSeverity info

    $InputFileFacility local6

    local6.info @eventloganalyzer-Server:514

    Here /var/log/sample.log is the external file to be forwarded.

    Note:
    1. These instructions can be applied to all Linux devices.
    2. Please use a unique <State_Filename> for different <Monitored_File_Absolute_Path>.
    3. When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux) won't allow the audit logs to be read. In that case, the audit logs can be forwarded by adding "active=yes" in etc/audisp/plugins.d/syslog.conf:
    Get download link