Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Download PDF lhs-panel

Click here to expand

Configuring the Syslog Service on a UNIX devices

Steps to configure log forwarding manually

Note: Please take a note of the default port numbers used for the different protocols.

Default port number & protocol used

513 & 514 UDP
514 TCP
513 TLS

To find the Syslog service used, use the below command

Copy to Clipboard

ps aux | grep syslog

As a result, this will return the current running Syslog service.

Follow the steps below to configure log forwarding to EventLog Analyzer server based on the Syslog Service used.

Add the required entries in the configuration file based on protocol. Restart the syslog daemon service to apply the changes
- syslogd
  - File path: /etc/syslog.conf
  - UDP:
    
    Copy to Clipboard
    
    *.*<space/tab>@<eventloganalyzer_server_name>:<port_no>
- rsyslogd
  - File path: /etc/rsyslog.conf
  - UDP:
    
    Copy to Clipboard
    
    *.*<space/tab>@<eventloganalyzer_server_name>:<port_no>
  - TCP:
    
    Copy to Clipboard
    
    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>
  - TLS:
    Note: Please check the prerequisites before appending the entries mentioned
    
    Copy to Clipboard
    
    $DefaultNetstreamDriverCAFile <CACertificate>
    
    $ActionSendStreamDriver gtls
    
    $ActionSendStreamDriverMode 1
    
    $ActionSendStreamDriverAuthMode x509/name
    
    $ActionSendStreamDriverPermittedPeer <commonname>
    
    *.*<space/tab>@@<eventloganalyzer_server_name>:<port_no>
- syslog-ng
  - File path: /etc/syslog-ng/syslog-ng.conf
  - <source_name> can be found from existing configuration of source with system(); and internal(); calls in the syslog-ng.conf file
    For ex: Here the <source_name> should be "s_src"
    
    source s_src {
    
    system();
    
    internal();
    
    };
  - UDP:
    Copy to Clipboard
    destination d_eventloganalyzer { network(<eventloganalyzer_server_name> port(<port>) transport("udp")); }; log { source(<source_name>); destination(d_eventloganalyzer); };
  - TCP:
    Copy to Clipboard
    destination d_eventloganalyzer { network(<eventloganalyzer_server_name> port(<port>) transport("tcp")); }; log { source(<source_name>); destination(d_eventloganalyzer); };
  - TLS:
    Note: Please check the prerequisites before appending the entries mentioned
    Copy to Clipboard
    destination d_eventloganalyzer { network(<eventloganalyzer_server_name> port(<port>) transport("tls") tls(key-file("/path/to/private.key") cert-file("/path/to/certificate.crt") ca-dir("/path/to/ca/directory"))); }; log { source(<source_name>); destination(d_eventloganalyzer); };
Save the configuration and restart the Syslog daemon using the below command

Copy to Clipboard

service <syslog/rsyslog/syslog-ng> restart

or

Copy to Clipboard

systemctl restart <syslog/rsyslog/syslog-ng>

Note:

The above configuration will only enable forwarding the machine logs to the EventLog Analyzer server.

To configure auto log forwarding from EventLogAnalyzer server using sudo or non sudo user, refer here.

Prerequisites:

Enable HTTPS and configure a valid certificate in server.xml. Click here to know how to configure a valid SSL certificate.
Only pfx format is supported for storing certificate, if you use keystore format, please convert it to pfx.

Using self-signed certificates:

After applying a self-signed certificate, a file named ca.crt will be created in the location <EventLogAnalyzer_Home>/Certificates.
Use this file as the root certificate while configuring log forwarding in clients.

Using other certificates:

For configuring log forwarding, get the root certificate from the certificate vendor.

Note:

If you want to use a different port other than the default ports as specified above, please specify it in the port management settings.
The CommonName should be the same value as given in the certificate file.

Forwarding application/audit logs to the EventLog Analyzer Server

If any particular applications' logs or audit logs needs to be forwarded, then the following configurations needs to be done in Linux devices under rsyslog.conf (or) syslog.conf

Under the MODULES section, check whether the "$ModLoad imfile" is included. (This module "imfile" converts any input text file into a syslog message,which can then be forwarded to the EventLog Analyzer Server.)
The following directives contain the details of the external log file:
$InputFileName <Monitored_File_Absolute_Path>
$InputFileStateFile <State_Filename>
$InputFileSeverity <Severity >
$InputFileFacility <Facility >
$InputRunFileMonitor
To forward the logs we must provide this line: <Facility>.<Severity> @Host-Ip:Port

Example:

$InputFileName /var/log/sample.log

$InputFileStateFile sample

$InputFileSeverity info

$InputFileFacility local6

local6.info @eventloganalyzer-Server:514

Here /var/log/sample.log is the external file to be forwarded.

Note:

These instructions can be applied to all Linux devices.
Please use a unique <State_Filename> for different <Monitored_File_Absolute_Path>.
When forwarding audit logs, sometimes default policies in Red Hat systems with Security enhancement (SElinux) won't allow the audit logs to be read. Refer troubleshooting tips.

Syntax for Installing Packages:

For CentOS/RHEL:

Copy to Clipboard

yum install <package_name>
For Ubuntu:

Copy to Clipboard

apt-get install <package_name>
For other Linux distros kindly refer the official website for package installation.

Important Note: The below privileges are specific to an individual user.

Auto Log Forwarding Privileges for Sudo and Non-Sudo User:

Granting privileges to the rsyslog.conf [or] syslog.conf file.

Copy to Clipboard

setfacl -m u:<username>:rw /etc/rsyslog.conf [or] /etc/syslog.conf

Example:

syslog.conf: setfacl -m u:testuser:rw /etc/syslog.conf

rsyslog.conf: setfacl -m u:testuser:rw /etc/rsyslog.conf

Please follow the instructions below to give restart privilege for the syslog/rsyslog service for non-sudo user:

Use the root user for configuring the privileges.
Please execute the below command:

Copy to Clipboard

visudo -f /etc/sudoers.d/<username>
Add the below line to the sudoers file:

Copy to Clipboard

<username> ALL=NOPASSWD: /usr/sbin/service <syslog/rsyslog> restart

Example:
- visudo -f /etc/sudoers.d/testuser
- testuser ALL=NOPASSWD: /usr/sbin/service rsyslog restart
To verify, follow the below command

Copy to Clipboard

cat /etc/sudoers.d/<username>

Example: cat /etc/sudoers.d/testuser

Expected Output: testuser ALL=NOPASSWD: /usr/sbin/service rsyslog restart

Note: The acl package must be installed. Before that the filesystem is mounted with the acl support. For more details, kindly refer the official documentation [ ref ].