Objective

Prerequisites  

• The syslog service is provided by a syslog daemon such as rsyslog, syslog-ng, or the traditional sysklogd. To install syslog daemon refer Tips at the bottom of the document.
• Review the listener ports of EventLog Analyzer instance in Listener Port Settings and ensure to configure the Unix/Linux device to forward the logs to the same port & protocol. (Default UDP - 514/513, TCP - 514, TLS - 513)
• Proper firewall rules in EventLog Analyzer server(inbound), Security Application(if available) and Network Firewall(if available) and Unix/Linux device (outbound)  to allow the communication from Unix/Linux instance to EventLog Analyzer server.
• The Unix/Linux device hostname is resolvable by the EventLog Analyzer server (important for DHCP-based IP changes).
• For TLS log collection, Ensure to enable HTTPs for EventLog Analyzer by applying SSL. Refer How to enable HTTPs for EventLog Analyzer
• Below requsites for Automatic syslog configuration:

Steps to follow

Method 1: Manual configuration  

1. Configure syslog service in Unix/Linux device.
   

1. Add the required entries in the configuration file based on protocol. Restart the syslog daemon service to apply the changes

• File path: /etc/syslog.conf
• UDP:
• *.*<space/tab>@<eventloganalyzer_server_name>:<port_no>

• $DefaultNetstreamDriverCAFile <CACertificate>
• $ActionSendStreamDriver gtls
• $ActionSendStreamDriverMode 1
• $ActionSendStreamDriverAuthMode x509/name
• $ActionSendStreamDriverPermittedPeer <commonname>
• *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>

• File path: /etc/syslog-ng/syslog-ng.conf
• <source_name> can be found from existing configuration of source with system(); and internal(); calls in the syslog-ng.conf file
• destination d_eventloganalyzer { network(<eventloganalyzer_server_name> port(<port>) transport("udp")); };
  log { source(<source_name>); destination(d_eventloganalyzer); };

2. Save the configuration and restart the Syslog daemon using the below command
• service <syslog/rsyslog/syslog-ng> restart
• systemctl restart <syslog/rsyslog/syslog-ng>

Method 2: Auto configuration for Unix/Linux device.

1. Log in to the EventLog Analyzer web console as an Administrator or with privileged role to Configure and Manage syslog device.
2. Navigate to:
   Settings → Log Source Configuration >> Devices → Syslog Devices.
3. Click + Add Device(s).
    
4. Choose the addition method:

• Select Discover Devices.
• Provide the IP address / IP range / CIDR.
• (Optional) Enter SNMP credentials for additional details.
• Click Discover.
  

• Select Add Manually.
• Enter the Hostname / IP Address of the device.
• Choose the Device Type as Unix/Linux.
• Click Add.

5. Once added, the device will appear in the Syslog Devices list.
6. Enable Check box for the device(s) and choose Configure Auto Log Forward

7. Enter the credential which has access to syslog daemon over remote, Unix/Linux SSH port, Syslog Protocol & port number(for which the logs has to be forwarded). Refer prerequisites to know the user permission required.

8. Choose Verify & Update

Verification   

1. Go to Search → Log Search in ELA.
2. Select the device from the list and search for incoming logs.
3. If logs are not visible, verify syslog forwarding on the device (see Configuring Syslog on Unix/Linux Devices).

Tips

• If the hostname is already present in the database, then the logs will be mapped to that device.
• The syslog device can be Unix, Cisco, Fortinet, Palto Alto,etc.

• If the hostname is already present in the database, then the logs will be mapped to the respective device.

• No logs or data collected from Syslog device