LOGalyze

How to forward Syslog UDP port 514 to LOGalyze


NOTE: The instructions in this section assume that your firewall is enabled and is compatible with iptables.


LOGalyze usually runs as logalyze user, therefor it cannot directly listen on ports that are lower than 1024. To listen on a port that is lower than 1024, use port forwarding to forward data to a port that LOGalyze can directly listen on. Default syslog collector port is 1670.

You must run the following port forwarding command as root.

iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670

 

Development versions

We publicly release testing versions of full updates (called SNAPSHOTS) in order to get major feedback, especially for bug reporting, so that the official update is considerably more stable. While these versions were public, they were not recommended for production and are completely optional.

To install a development version, simply download the logalyze-admin.war, and logalyze-engine in tar.gz or zip format and follow the instructions in the Installation Manual.

Snapshots are available at http://www.logalyze.com/snapshots/

 

Ho to set up rsyslog to send data to LOGalyze

What is rsyslog?

Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using TCP for transport.

Source: http://en.wikipedia.org/wiki/Rsyslog

1. Create a TCP/UDP syslog collector in LOGalyze

Go to Admin/Collectors. Add a new Collector with the following settings:

  • DTP: socket
  • DF: syslog

Set the required socket and syslog parameters, save collector config and restart LOGalyze Engine.

2. Send log data wit rsyslog

2.1 Send log data from file with rsyslog

Edit your rsyslog.conf file (usually in /etc/):

$ModLoad imfile
$InputFileName /var/log/your.log
$InputFileTag prefixtag:
$InputFileStateFile stat-prefixtag
$InputFileSeverity info
$InputRunFileMonitor
$InputFilePollInterval 10

*.* @@logalyzehost:1670

Be sure to replace the logalyzehost and port of 1670 with the address and port that is shown under your Admin > Collectors page. This configuration will make rsyslog send all of your logs from your.log to LOGalyze. If you do not like this behavior, add this first line:

& ~

If you want to send data over UDP instead of TCP (although we do recommend TCP), the last line of your rsyslog.conf edit should be:

*.* @logalyzehost:[PORT #]

The InputFileTag line tells rsyslog what to add as the tag in the log records.

The InputFileStateFile is the file that will keep track of how much of that file you have already sent in. Make this unique for each file that you are using.

 

2.2 Sending syslog with rsyslog

To send simple syslogs to LOGalyze with rsyslog you should use the following configuration:

# UDP
*.* @logalyzehost:[PORT #]

 

# TCP
*.* @@logalyzehost:[PORT #] 

Note that # is for comments. You can use the old filters from syslog.conf instead of *.*. For example: *.info, local0.*, etc.

 

LOGalyze on Twitter