Linux Log Collection with Syslog

The use of syslog An industry standard message logging system that is used on many devices and platforms. is required to send log data from Linux systems to the USM Anywhere Sensor IP address over UDP on port 514, over TCP on port 601 or 602, or Transport Layer Security (TLS)-encrypted data over TCP on port 6514 or 6515.

Using Syslog to Send Logs from a Linux System

General InformationSyslog is an industry-standard message logging protocol that is used on many devices and platforms. It provides a mechanism for network devices to send event messages to a logging server, also known as a syslog server. In this case, a USM Anywhere Sensor is acting as the syslog server. USM Anywhere supports both the BSD syslog protocol (RFC 3164) and the syslog protocol (RFC 5424). For RFC 3164, USM Anywhere listens for syslog over UDP on port 514, TCP on port 601, or Transport Layer Security (TLS) on port 6514. For RFC 5424, USM Anywhere listens for syslog over TCP on port 602 or TLS on port 6515. For example, a router might send messages about users logging on to console sessions, while a web server might log access-denied events.

Follow the procedure that corresponds to the Linux distribution you use.

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from Fedora Linux using syslog

  1. On your Linux machine, open /etc/rsyslog.conf and add the following line:

    *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") # send (all) messages - Forward to the USM Anywhere Sensor IP address

  2. Restart rsyslog:

    sudo service rsyslog restart

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from Red Hat Enterprise Linux using syslog

  1. On your Linux machine, install rsyslog for RHEL-5 (installed by default for RHEL-6 and 7):

    sudo yum install rsyslog

  2. Open /etc/rsyslog.conf and add the following line to the start of the file:

    *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

    Where <IP> is the IP address for the USM Anywhere Sensor.

  3. Restart rsyslog:

    sudo service syslog stop (only for RHEL-5)

    sudo service rsyslog restart

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from openSUSE Distributions

  1. Install rsyslogd:

    sudo yast -i rsyslog

  2. Set rsyslog as syslog server:

    1. Open /etc/sysconfig/syslog.

    2. Add the following lines:

      SYSLOG_DAEMON=”rsyslogd”

      RSYSLOGD_COMPAT_VERSION=”4″

    3. Save it and run SuSEconfig.

  3. On your Linux machine, open /etc/rsyslog.d/remote.conf and add the following line:

    *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000"

    Where <IP> is the IP address for the USM Anywhere Sensor.

  4. Restart rsyslog:

    sudo service rsyslog restart

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from Debian GNU/Linux and Ubuntu Distributions

  1. On your Linux machine, open the appropriate configuration file:

    • (debian) /etc/rsyslog.conf
    • (ubuntu) /etc/rsyslog.d/50-default.conf

  2. Add one of these lines:

    • (UDP) *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
    • (TCP) *.* action(type="omfwd" target="<IP>" port="601" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

    Where <IP> is the IP address for the USM Anywhere Sensor.

  3. Restart rsyslog:

    sudo service rsyslog restart

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from SUSE Linux Enterprise Server Distribution

  1. Install the rsyslogd package:

    sudo yast -i rsyslog

  2. Set rsyslog as syslog server by editing the following parameters in /etc/sysconfig/syslog:

    SYSLOG_DAEMON=”rsyslogd”

    RSYSLOGD_COMPAT_VERSION=”4″

  3. Save the file and run SuSEconfig.

  4. On your Linux machine, open rsyslog.d/remote.conf and add the following line:

    *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

  5. Restart rsyslog:

    sudo rcsyslog restart

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from Solaris distributions

  1. On your Linux machine, open /etc/syslog.conf and add the following line:

    *.notice @<USM-Anwhere-Sensor-IP-address>

    Important: In the foregoing command, you must tab from auth.notice to @<USM-Anwhere-Sensor-IP-address>; if you type a space the command will fail.

  2. Stop, then restart syslog:

    Solaris 5.9 and earlier

    sudo /etc/init.d/syslog stop

    sudo /etc/init.d/syslog start

    Solaris 5.10 and above

    #sudo svcadm refresh svc:/system/system-log

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from FreeBSD Distributions

  1. On your Linux machine, open /etc/syslog.conf and add the following line:

    *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

  2. Restart rsyslog:

    sudo service syslogd restart

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from Gentoo Distribution

  1. On your Linux machine, open /etc/rsyslog.conf and add the following line:

    *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

  2. Restart rsyslog:

    sudo /etc/init.d rsyslog restart

You must have sudo A program for UNIX-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. privileges to complete this procedure.

To send logs from Arch Distribution

  1. On your Linux machine, open /etc/syslog-ng/syslog-ng.conf and add the following line:

    *.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

  2. Restart rsyslog:

    sudo systemctl start rsyslog