How to forward application logs hosted on Linux/Unix machine

How to forward application logs hosted on Linux/Unix machine

Objective  

This article outlines the steps required to collect logs from an application hosted in Unix/Linux device by configuring syslog service to forward log data to ManageEngine EventLog Analyzer. This setup allows centralized logging, monitoring, and auditing of system or application logs for auditing and compliance.

Prerequisites  

  1. System requirements  
    • Log forwarding daemon: Rsyslog or syslog-ng installed and enabled on the Unix system.
    • Network: Stable unidirectional connection from the Unix system to the EventLog Analyzer server.
    • Port Usage: Ensure that inbound ports are open as per EventLog Analyzer syslog listener ports (Default: 513 and 514 (UDP) or 514 (TCP)). Correspondingly, the outbound traffic on these same ports must be allowed and active on the Linux machines sending the logs.
  1. User permissions  
    • Root or sudo access is required to:
      • Modify syslog configuration files like /etc/rsyslog.conf or files under /etc/rsyslog.d/.
      • Restart the logging service (systemctl restart rsyslog or equivalent).
  1. Dependencies  
    • Syslog service (rsyslog or syslog-ng) must be active.
    • Firewall, SELinux, or AppArmor must allow outbound syslog traffic.
    • EventLog Analyzer must be configured to receive logs from remote Unix devices.
Steps to follow

Step 1: Identify the logging daemon  

Run the following commands to determine the active syslog daemon:

ps -ef | grep rsyslog
ps -ef | grep syslog-ng

Step 2: Configure application log file monitoring (rsyslog only)  

  1. Create a new configuration file: sudo vi /etc/rsyslog.d/<application_name>.conf


  1. Add the following content to the file:

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$InputFileName <ConfiguredLogFile_Location>
#$InputFileTag APP
#$InputFileStateFile Stat-APP
#$InputFileSeverity 120
$InputFileFacility local7 local6 local5 local4 local3 local2 local1
$InputRunFileMonitor
$InputFilePersistStateInterval 100

Notes:

  • The '#' used at the starting of each line denotes that the line is commented. If the user needed those field, it can be uncommented by just removing it.
  • Replace <ConfiguredLogFile_Location> with the path of the application log file. (Sample Image below)
  • Add or adjust fields based on log structure or compliance needs.

Step 3: Configure remote forwarding  

  1. For rsyslog:
    1. Open /etc/rsyslog.conf or use a dedicated file like /etc/rsyslog.d/forward.conf.

    2. Add the following lines:

      • For UDP:

      1. $ModLoad imudp
        $UDPServerRun 514
      • For TCP:

      1. $ModLoad imtcp
        $InputTCPServerRun 514
    1. Include all configuration files:

$IncludeConfig /etc/rsyslog.d/*.conf

    1. Forward the logs to the EventLog Analyzer server:

# For UDP
*.* @<ELA_SERVER_IP>:514

# For TCP
*.* @@<ELA_SERVER_IP>:514

  1. For syslog-ng:
    1. Open /etc/syslog-ng/syslog-ng.conf.

    2. Add the following configuration:

destination d_ela { tcp("<ELA_SERVER_IP>" port(514)); };
log { source(s_src); destination(d_ela); };

    1. Replace <ELA_SERVER_IP> with the IP address of the EventLog Analyzer server.

Step 4: Restart logging services  

  • For rsyslog:

sudo systemctl restart rsyslog

  • For syslog-ng:

sudo systemctl restart syslog-ng

Validation and testing

  1. Log in to the EventLog Analyzer web console.
  2. Navigate to Log Search or Syslog Devices.
  3. Run a test message from the Unix machine: logger "Test log from Unix system"
  1. Confirm that the test log appears in EventLog Analyzer.
  2. Ensure expected logs (e.g., auth logs, application logs) are being received.

Tips

  • Use separate configuration files (e.g., forward.conf) instead of editing the main config.
  • Regularly monitor log flow after configuration.
  • Enable timestamps and facility-based filtering if required for more structured log analysis.
  • When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux) won't allow the audit logs to be read. Refer to Troubleshooting tips.

Related Articles and Topics  

 

                  New to ADSelfService Plus?

                    • Related Articles

                    • How to migrate EventLog Analyzer standalone edition to different server or drive [Linux to Linux]

                      Objective This article provides a detailed step-by-step guide to migrate a EventLog Analyzer standalone instance (not integrated with Log360) to a new server or a different drive. Prerequisites Refer to the System Requirements to plan the new server ...
                    • How to import logs in EventLog Analyzer from a local path

                      Objective A user can import application logs in EventLog Analyzer when the logs are located in the local file system of the EventLog Analyzer instance, shared path of Windows OS and Linux OS, or S3 bucket. Learn how to import logs in EventLog ...
                    • File Integrity Monitoring Issues for Linux

                      Linux - File Integrity Monitoring Issues (FIM) Ensure that the Linux agent is installed in the respective machine. (Location: /opt/ManageEngine/EventLogAnalyzer_Agent) Check whether the agent service responds to the start and stop commands: To start: ...
                    • How to import logs in EventLog Analyzer from S3 bucket

                      Objective Some applications might record logs in the file system so that the user can import the logs in EventLog Analyzer. This can happen when the logs are located in Local file system of the EventLog Analyzer instance where the shared path is the ...
                    • Offline Logs Management

                      How to: change the Archive (Offline Logs) Location - Applicable for Builds <= 12203 Log on to the EventLog Analyzer UI. Go to Settings Tab ⇾ Admin settings ⇾ Manage Archives ⇾ Settings (right-top corner) Update the new Archive location ⇾ click on ...