How to forward application logs hosted on Linux/Unix machine
Objective
This article outlines the steps required to collect logs from an application hosted in Unix/Linux device by configuring syslog service to forward log data to ManageEngine EventLog Analyzer. This setup allows centralized logging, monitoring, and auditing of system or application logs for auditing and compliance.
Prerequisites
System requirements
- User permissions
Dependencies
Syslog service (rsyslog or syslog-ng) must be active.
Firewall, SELinux, or AppArmor must allow outbound syslog traffic.
EventLog Analyzer must be configured to receive logs from remote Unix devices.
Steps to follow
Step 1: Identify the logging daemon
Run the following commands to determine the active syslog daemon:
ps -ef | grep rsyslog
ps -ef | grep syslog-ng
- Create a new configuration file: sudo vi /etc/rsyslog.d/<application_name>.conf

Add the following content to the file:
$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$InputFileName <ConfiguredLogFile_Location>
#$InputFileTag APP
#$InputFileStateFile Stat-APP
#$InputFileSeverity 120
$InputFileFacility local7 local6 local5 local4 local3 local2 local1
$InputRunFileMonitor
$InputFilePersistStateInterval 100
Notes:
The '#' used at the starting of each line denotes that the line is commented. If the user needed those field, it can be uncommented by just removing it.
Replace <ConfiguredLogFile_Location> with the path of the application log file. (Sample Image below)
Add or adjust fields based on log structure or compliance needs.

For rsyslog:
Open /etc/rsyslog.conf or use a dedicated file like /etc/rsyslog.d/forward.conf.
Add the following lines:
- $ModLoad imudp
$UDPServerRun 514
- $ModLoad imtcp
$InputTCPServerRun 514
Include all configuration files:
$IncludeConfig /etc/rsyslog.d/*.conf
Forward the logs to the EventLog Analyzer server:
# For UDP
*.* @<ELA_SERVER_IP>:514
# For TCP
*.* @@<ELA_SERVER_IP>:514

- For syslog-ng:
Open /etc/syslog-ng/syslog-ng.conf.
Add the following configuration:
destination d_ela { tcp("<ELA_SERVER_IP>" port(514)); };
log { source(s_src); destination(d_ela); };
- Replace <ELA_SERVER_IP> with the IP address of the EventLog Analyzer server.
Step 4: Restart logging services
sudo systemctl restart rsyslog
sudo systemctl restart syslog-ng
Validation and testing
Log in to the EventLog Analyzer web console.
Navigate to Log Search or Syslog Devices.
Run a test message from the Unix machine: logger "Test log from Unix system"
Confirm that the test log appears in EventLog Analyzer.
Ensure expected logs (e.g., auth logs, application logs) are being received.
Tips
Use separate configuration files (e.g., forward.conf) instead of editing the main config.
Regularly monitor log flow after configuration.
Enable timestamps and facility-based filtering if required for more structured log analysis.
When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux) won't allow the audit logs to be read. Refer to Troubleshooting tips.
Related Articles and Topics
New to ADSelfService Plus?
Related Articles
How to migrate EventLog Analyzer standalone edition to different server or drive [Linux to Linux]
Objective This article provides a detailed step-by-step guide to migrate a EventLog Analyzer standalone instance (not integrated with Log360) to a new server or a different drive. Prerequisites Refer to the System Requirements to plan the new server ...
How to import logs in EventLog Analyzer from a local path
Objective A user can import application logs in EventLog Analyzer when the logs are located in the local file system of the EventLog Analyzer instance, shared path of Windows OS and Linux OS, or S3 bucket. Learn how to import logs in EventLog ...
File Integrity Monitoring Issues for Linux
Linux - File Integrity Monitoring Issues (FIM) Ensure that the Linux agent is installed in the respective machine. (Location: /opt/ManageEngine/EventLogAnalyzer_Agent) Check whether the agent service responds to the start and stop commands: To start: ...
How to import logs in EventLog Analyzer from S3 bucket
Objective Some applications might record logs in the file system so that the user can import the logs in EventLog Analyzer. This can happen when the logs are located in Local file system of the EventLog Analyzer instance where the shared path is the ...
Offline Logs Management
How to: change the Archive (Offline Logs) Location - Applicable for Builds <= 12203 Log on to the EventLog Analyzer UI. Go to Settings Tab ⇾ Admin settings ⇾ Manage Archives ⇾ Settings (right-top corner) Update the new Archive location ⇾ click on ...