Adding Linux log sources

  1. Login as root user and edit the syslog.conf/rsyslog.conf/syslog-ng.conf file in the /etc directory. You can check the logger in the device by running sp -aux | grep syslog.

  2. For UDP based log collection, append *.* <space/tab>@ <ela_server_name>: <port_no> at the end, where <ela_server_name> is the name of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

  3. For TCP based log collection, append *.* <space/tab>@@ <ela_server_name>: <port_no> at the end, where <server_name> is the name of the machine on which EventLog Analyzer is running. Save the configuration and exit the editor.

  4. 513 and 514 are the default UDP ports, and 514 is the default TCP port in EventLog Analyzer. But if you choose a different port other than 513 or 514, then remember to enter that same port when adding the device in EventLog Analyzer.

  5. Save the file and exit the editor.

  6. Save the file and exit the editor.

  7. Restart the syslog service on the host using the command:

    /etc/rc.d/init.d/syslog restart

Add Windows Hosts

Note: To configure the syslog-ng daemon in a Linux device, append the following entries at the end of /etc/syslog-ng/syslog-ng.conf:

For UDP based log collection:

destination eventloganalyzer { udp(" <ela_server_name>" port( <port_no>)); };
log { source(src); destination(eventloganalyzer); };

For TCP based log collection:

destination eventloganalyzer { tcp("<ela_server_name>" port(<port_no>)); };
log { source(src); destination(eventloganalyzer); };

where <ela_server_name> is the server name or IP address of the machine on which EventLog Analyzer is running.