Add Log Sources
Configuring Syslog Service
On a UNIX device

What is in this guide
Introduction
- Overview
- Release Notes
Setup the Product
- What's in this section
- System Requirements
- Prerequisites
- Install and Uninstall
- Start and Shutdown
- Connect to Server
- Backing up database
- Increasing Product Memory
- License Details
- Get Started
- Service Account Permission
Add Log Sources
- What's in this section
- Adding Windows Devices
- Adding Syslog Devices
- Adding CEF devices
- Adding Other Devices
- Adding IBM iseries(AS400) devices
- Adding VMware(Exsi) devices
- Adding vCenter
- Adding Application Sources
- Adding AWS EC2 Windows instance
- Configuring Syslog Service
User Interface
- Tabs
- Dashboard Views
- Customize Dashboard Views
- Log Receiver
- Global Search
EventLog Analyzer Reports
- Reports - Overview
- Configuring out-of-the-box reports
- Managing Predefined Reports
- Managing Report Views
- Create Custom Reports
- Schedule Reports
- Mark report as favourite
- Available Reports
Threat Intelligence Data Analytics
- Overview
- FireEye Threat Solutions
- Symantec Endpoint Solutions
- Symantec DLP Applications
- Malwarebytes Solutions
- CEF format
- Configuring McAfee solutions for analysis
Vulnerability Data Analytics
- Overview
- Vulnerability reports
Real-time Event Correlation
- Understanding Correlation
- Correlation Reports
- Last Ten Incidents Overview
- Activity Reports
- Creating Custom Correlation Rules
- Managing Correlation Rules
Compliance
- Compliance Reports
- Risk Posture
  - Overview
  - SQL Server
Search Logs
- Overview
- How to Search Logs
- How to Extract New Fields
- How to Tag Fields
Threat investigation
- Incident workbench
- Device Summary
Alerts
- Overview
- Create Alert Profile
- View Log Alerts
- Alert Notification & Remediation
- Ticketing Tools Integration
- Manage alert Profiles
- Bulk Deleting/Updating Alerts
Incident Management
- Create and assign workflow profiles
- Incident Workflow Management
Framework Integration
- MITRE ATT&CK TTP(S) Framework Integration
Configurations
- What's in this section
- Device Management
- Applications
- Database Audit
- File Integrity Monitoring
- Manage security applications
- Adding custom threat sources
- Advanced Threat Analytics
- Threat Whitelisting
- Threat Import
- Switching threat stores
- Manage Vulnerability Data
- Device Group Management
- VM Management
- Log Forwarder
- Manage Cloud Sources
Admin Settings
- Admin Settings
- Privacy Settings
- Agent Administration
  - Agent Administration
  - Agent Settings
- Archive
- Technicians and Roles
- Logon Settings
- Security hardening
- Reset Account Settings
- Domains and Workgroups
- Working Hour Settings
- Product Settings
- API Settings
  - API Settings
  - Get log sources
  - Get log fields
  - Get log types
  - Synchronous search
  - Asynchronous search
  - Jobs endpoint
  - Jobs Result endpoint
  - Get alert profiles
  - Synchronous alerts
  - Asynchronous alerts
- Retention Settings
- Log Collection Filter
- Log Collection Alerts
- Report Profiles
- Custom Log Parser
- Tags
- Profiles
- Database settings
  - Database auto backup
  - Database migration
System Settings
- System Settings
- Notification Settings
- Manage Account TFA
- Install EventLog Analyzer as a service
- Connection Settings
- Re-branding
- System Diagnostics
- Port Management
Help, Questions, and Tips
- Troubleshooting Tips
- Frequently Asked Questions
- EventLog Analyzer Help
Additional Utilities
- Additional Utilities
- Data Migration
- Working with HTTPS
- Configure MS SQL Database
- Migrate data from PostgreSQL to MS SQL database
- Migrate data from MySQL to MS SQL database
- Move Database to Different Directory in the Same Server
- Move Installation to Another Machine
- Configurations after changing the EventLog Analyzer server Hostname/IP address
- Move Installation to Different Directory in the Same Server
- Configuring NAT Settings
- Disk monitoring for search nodes
- SSL/TLS Settings for Elasticsearch
- Configuring DNS servers
Distributed Edition
- Introduction to Distributed Edition
- Prerequisites for converting EventLog Analyzer standalone to distributed edition
- Converting standalone installation to Admin Server
- Converting standalone installation to Managed Server
- Manage Server Settings
- Setting up auto upgrade
- Auto-upgrade guidelines
- Frequently Asked Questions
- Centralized log archival
Search Engine - Elasticsearch
- Data Upgrade
Technical Support
- Technical Support
- Create SIF offline
- Contact Support

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Download PDF lhs-panel

lhs-panel

lhs-panel

Click here to expand

Configuring the Syslog Service on a UNIX devices

Steps to configure log forwarding manually

Note: Please take a note of the default port numbers used for the different protocols.

Default port number & protocol used

513 & 514 UDP
514 TCP
513 TLS

To find the Syslog service used, use the below command

Copy to Clipboard

ps aux | grep syslog

As a result, this will return the current running Syslog service.

Follow the steps below to configure log forwarding to EventLog Analyzer server based on the Syslog Service used.

Add the required entries in the configuration file based on protocol. Restart the syslog daemon service to apply the changes
- syslogd
  - File path: /etc/syslog.conf
  - UDP:
    
    Copy to Clipboard
    
    *.*<space/tab>@<eventloganalyzer_server_name>:<port_no>
- rsyslogd
  - File path: /etc/rsyslog.conf
  - UDP:
    
    Copy to Clipboard
    
    *.*<space/tab>@<eventloganalyzer_server_name>:<port_no>
  - TCP:
    
    Copy to Clipboard
    
    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>
  - TLS:
    Note: Please check the prerequisites before appending the entries mentioned
    
    Copy to Clipboard
    
    $DefaultNetstreamDriverCAFile <CACertificate>
    
    $ActionSendStreamDriver gtls
    
    $ActionSendStreamDriverMode 1
    
    $ActionSendStreamDriverAuthMode x509/name
    
    $ActionSendStreamDriverPermittedPeer <commonname>
    
    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>
- syslog-ng
  - File path: /etc/syslog-ng/syslog-ng.conf
  - <source_name> can be found from existing configuration of source with system(); and internal(); calls in the syslog-ng.conf file
    For ex: Here the <source_name> should be "s_src"
    
    source s_src {
    
    system();
    
    internal();
    
    };
  - UDP:
    Copy to Clipboard
    destination d_eventloganalyzer { network(<eventloganalyzer_server_name> port(<port>) transport("udp")); }; log { source(<source_name>); destination(d_eventloganalyzer); };
  - TCP:
    Copy to Clipboard
    destination d_eventloganalyzer { network(<eventloganalyzer_server_name> port(<port>) transport("tcp")); }; log { source(<source_name>); destination(d_eventloganalyzer); };
  - TLS:
    Note: Please check the prerequisites before appending the entries mentioned
    Copy to Clipboard
    destination d_eventloganalyzer { network(<eventloganalyzer_server_name> port(<port>) transport("tls") tls(key-file("/path/to/private.key") cert-file("/path/to/certificate.crt") ca-dir("/path/to/ca/directory"))); }; log { source(<source_name>); destination(d_eventloganalyzer); };
Save the configuration and restart the Syslog daemon using the below command

Copy to Clipboard

service <syslog/rsyslog/syslog-ng> restart

or

Copy to Clipboard

systemctl restart <syslog/rsyslog/syslog-ng>

Note:

The above configuration will only enable forwarding the machine logs to the EventLog Analyzer server.

To configure auto log forwarding from EventLogAnalyzer server using sudo or non sudo user, refer here.

Prerequisites:

Enable HTTPS and configure a valid certificate in server.xml. Click here to know how to configure a valid SSL certificate.
Only pfx format is supported for storing certificate, if you use keystore format, please convert it to pfx.

Using self-signed certificates:

After applying a self-signed certificate, a file named ca.crt will be created in the location <EventLogAnalyzer_Home>/Certificates.
Use this file as the root certificate while configuring log forwarding in clients.

Using other certificates:

For configuring log forwarding, get the root certificate from the certificate vendor.

Note:

If you want to use a different port other than the default ports as specified above, please specify it in the port management settings.
The CommonName should be the same value as given in the certificate file.

Forwarding application/audit logs to the EventLog Analyzer Server

If any particular applications' logs or audit logs needs to be forwarded, then the following configurations needs to be done in Linux devices under rsyslog.conf (or) syslog.conf

Under the MODULES section, check whether the "$ModLoad imfile" is included. (This module "imfile" converts any input text file into a syslog message,which can then be forwarded to the EventLog Analyzer Server.)
The following directives contain the details of the external log file:
$InputFileName <Monitored_File_Absolute_Path>
$InputFileStateFile <State_Filename>
$InputFileSeverity <Severity >
$InputFileFacility <Facility >
$InputRunFileMonitor
To forward the logs we must provide this line: <Facility>.<Severity> @Host-Ip:Port

Example:

$InputFileName /var/log/sample.log

$InputFileStateFile sample

$InputFileSeverity info

$InputFileFacility local6

local6.info @eventloganalyzer-Server:514

Here /var/log/sample.log is the external file to be forwarded.

Note:

These instructions can be applied to all Linux devices.
Please use a unique <State_Filename> for different <Monitored_File_Absolute_Path>.
When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux) won't allow the audit logs to be read. Refer troubleshooting tips.

Syntax for Installing Packages:

For CentOS/RHEL:

Copy to Clipboard

yum install <package_name>
For Ubuntu:

Copy to Clipboard

apt-get install <package_name>
For other Linux distros kindly refer the official website for package installation.

Important Note: The below privileges are specific to an individual user.

Auto Log Forwarding Privileges for Sudo and Non-Sudo User:

Granting privileges to the rsyslog.conf [or] syslog.conf file.

Copy to Clipboard

setfacl -m u:<username>:rw /etc/rsyslog.conf [or] /etc/syslog.conf

Example:

syslog.conf: setfacl -m u:testuser:rw /etc/syslog.conf

rsyslog.conf: setfacl -m u:testuser:rw /etc/rsyslog.conf

Please follow the instructions below to give restart privilege for the syslog/rsyslog service for non-sudo user:

Use the root user for configuring the privileges.
Please execute the below command:

Copy to Clipboard

visudo -f /etc/sudoers.d/<username>
Add the below line to the sudoers file:

Copy to Clipboard

<username> ALL=NOPASSWD: /usr/sbin/service <syslog/rsyslog> restart

Example:
- visudo -f /etc/sudoers.d/testuser
- testuser ALL=NOPASSWD: /usr/sbin/service rsyslog restart
To verify, follow the below command

Copy to Clipboard

cat /etc/sudoers.d/<username>

Example: cat /etc/sudoers.d/testuser

Expected Output: testuser ALL=NOPASSWD: /usr/sbin/service rsyslog restart

Note: The acl package must be installed. Before that the filesystem is mounted with the acl support. For more details, kindly refer the official documentation [ ref ].

On this page

Steps to configure log forwarding manually
Forwarding application/audit logs to the EventLog Analyzer Server
Syntax for Installing Packages
Auto Log Forwarding Privileges for Sudo and Non-Sudo User

Don't see what you're looking for?

Visit our community
Post your questions in the forum.
Request additional resources
Send us your requirements.
Need implementation assistance?
Try OnboardPro

Copyright © 2025, ZOHO Corp. All Rights Reserved.

Get download link