Objective  

Prerequisites  

1. System requirements  
   

• Log forwarding daemon: Rsyslog or syslog-ng installed and enabled on the Unix system.
• Network: Stable unidirectional connection from the Unix system to the EventLog Analyzer server.
• Port Usage: Ensure that inbound ports are open as per EventLog Analyzer syslog listener ports (Default: 513 and 514 (UDP) or 514 (TCP)). Correspondingly, the outbound traffic on these same ports must be allowed and active on the Linux machines sending the logs.

1. User permissions  

• Root or sudo access is required to:

• Modify syslog configuration files like /etc/rsyslog.conf or files under /etc/rsyslog.d/.
• Restart the logging service (systemctl restart rsyslog or equivalent).

1. Dependencies  

• Syslog service (rsyslog or syslog-ng) must be active.
• Firewall, SELinux, or AppArmor must allow outbound syslog traffic.
• EventLog Analyzer must be configured to receive logs from remote Unix devices.

Step 1: Identify the logging daemon  

Run the following commands to determine the active syslog daemon:

ps -ef | grep rsyslog
ps -ef | grep syslog-ng

Step 2: Configure application log file monitoring (rsyslog only)  

1. Create a new configuration file: sudo vi /etc/rsyslog.d/<application_name>.conf

2. Add the following content to the file:

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$InputFileName <ConfiguredLogFile_Location>
#$InputFileTag APP
#$InputFileStateFile Stat-APP
#$InputFileSeverity 120
$InputFileFacility local7 local6 local5 local4 local3 local2 local1
$InputRunFileMonitor
$InputFilePersistStateInterval 100

Notes:

• The '#' used at the starting of each line denotes that the line is commented. If the user needed those field, it can be uncommented by just removing it.
• Replace <ConfiguredLogFile_Location> with the path of the application log file. (Sample Image below)
• Add or adjust fields based on log structure or compliance needs.

Step 3: Configure remote forwarding  

1. For rsyslog:

1. Open /etc/rsyslog.conf or use a dedicated file like /etc/rsyslog.d/forward.conf.

2. Add the following lines:

• For UDP:

1. $ModLoad imudp
   $UDPServerRun 514

• For TCP:

1. $ModLoad imtcp
   $InputTCPServerRun 514

3. Include all configuration files:

$IncludeConfig /etc/rsyslog.d/*.conf

4. Forward the logs to the EventLog Analyzer server:

# For UDP
*.* @<ELA_SERVER_IP>:514

# For TCP
*.* @@<ELA_SERVER_IP>:514

1. For syslog-ng:

1. Open /etc/syslog-ng/syslog-ng.conf.

2. Add the following configuration:

destination d_ela { tcp("<ELA_SERVER_IP>" port(514)); };
log { source(s_src); destination(d_ela); };

1. Replace <ELA_SERVER_IP> with the IP address of the EventLog Analyzer server.
   

Step 4: Restart logging services  

• For rsyslog:

sudo systemctl restart rsyslog

• For syslog-ng:

sudo systemctl restart syslog-ng

Validation and testing

1. Log in to the EventLog Analyzer web console.
2. Navigate to Log Search or Syslog Devices.
3. Run a test message from the Unix machine: logger "Test log from Unix system"

4. Confirm that the test log appears in EventLog Analyzer.
5. Ensure expected logs (e.g., auth logs, application logs) are being received.

Tips

• Use separate configuration files (e.g., forward.conf) instead of editing the main config.
• Regularly monitor log flow after configuration.
• Enable timestamps and facility-based filtering if required for more structured log analysis.
• When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux) won't allow the audit logs to be read. Refer to Troubleshooting tips.

Related Articles and Topics  

• Steps to Configure Log Forwarding Manually
• Forwarding application/audit logs to the EventLog Analyzer Server
• Syntax for Installing Packages
• Auto Log Forwarding Privileges for Sudo and Non-Sudo User