LOGalyze - Knowledge Base LOGalyze - Search, find, analyze - Open Source Log management, SIEM, Log analysis tool http://www.logalyze.com/support/knowledge-base 2018-02-22T07:41:48+01:00 Joomla! - Open Source Content Management How to forward Syslog UDP port 514 to LOGalyze 2012-07-25T14:06:07+02:00 2012-07-25T14:06:07+02:00 http://www.logalyze.com/support/knowledge-base/32-how-to-forward-syslog-udp-port-514-to-logalyze Balazs Vamos vamos.balazs@zuriel.hu <div class="feed-description"><hr /> <p><em><strong>NOTE:</strong> The instructions in this section assume that your firewall is enabled and is compatible with iptables.</em></p> <hr /> <p>LOGalyze usually runs as <em>logalyze</em> user, therefor it cannot directly listen on ports that are lower than 1024. To listen on a port that is lower than 1024, use port forwarding to forward data to a port that LOGalyze can directly listen on. Default syslog collector port is 1670.</p> <p>You must run the following port forwarding command as <span class="systemitem">root</span>. </p> <pre><span class="command">iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670</span></pre> <p> </p></div> <div class="feed-description"><hr /> <p><em><strong>NOTE:</strong> The instructions in this section assume that your firewall is enabled and is compatible with iptables.</em></p> <hr /> <p>LOGalyze usually runs as <em>logalyze</em> user, therefor it cannot directly listen on ports that are lower than 1024. To listen on a port that is lower than 1024, use port forwarding to forward data to a port that LOGalyze can directly listen on. Default syslog collector port is 1670.</p> <p>You must run the following port forwarding command as <span class="systemitem">root</span>. </p> <pre><span class="command">iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670</span></pre> <p> </p></div> Development versions 2012-07-11T14:06:23+02:00 2012-07-11T14:06:23+02:00 http://www.logalyze.com/support/knowledge-base/30-development-versions Super User zdeakpal@logalyze.com <div class="feed-description"><p>We publicly release testing versions of full updates (called SNAPSHOTS) in order to get major feedback, especially for bug reporting, so that the official update is considerably more stable. While these versions were public, they were not recommended for production and are completely optional.</p> <p>To install a development version, simply download the logalyze-admin.war, and logalyze-engine in tar.gz or zip format and follow the instructions in the Installation Manual.</p> <p>Snapshots are available at <a href="snapshots/" target="_blank">http://www.logalyze.com/snapshots/</a></p> <p> </p></div> <div class="feed-description"><p>We publicly release testing versions of full updates (called SNAPSHOTS) in order to get major feedback, especially for bug reporting, so that the official update is considerably more stable. While these versions were public, they were not recommended for production and are completely optional.</p> <p>To install a development version, simply download the logalyze-admin.war, and logalyze-engine in tar.gz or zip format and follow the instructions in the Installation Manual.</p> <p>Snapshots are available at <a href="snapshots/" target="_blank">http://www.logalyze.com/snapshots/</a></p> <p> </p></div> Ho to set up rsyslog to send data to LOGalyze 2012-06-15T16:36:44+02:00 2012-06-15T16:36:44+02:00 http://www.logalyze.com/support/knowledge-base/28-ho-to-set-up-rsyslog-to-send-data-to-logalyze Super User zdeakpal@logalyze.com <div class="feed-description"><h1>What is rsyslog?</h1> <p>Rsyslog is an <a href="http://en.wikipedia.org/wiki/Open_source" target="_blank" title="Open source">open source</a> software utility used on <a href="http://en.wikipedia.org/wiki/UNIX" target="_blank" title="UNIX">UNIX</a> and <a href="http://en.wikipedia.org/wiki/Unix-like" target="_blank" title="Unix-like">Unix-like</a> computer systems for forwarding <a href="http://en.wikipedia.org/wiki/Data_logging" target="_blank" title="Data logging">log messages</a> in an <a href="http://en.wikipedia.org/wiki/Internet_Protocol" target="_blank" title="Internet Protocol">IP</a> <a href="http://en.wikipedia.org/wiki/Computer_Network" title="Computer Network">network</a>. It implements the basic <a href="http://en.wikipedia.org/wiki/Syslog" target="_blank" title="Syslog">syslog</a> protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using <a href="http://en.wikipedia.org/wiki/Transmission_Control_Protocol" target="_blank" title="Transmission Control Protocol">TCP</a> for transport.</p> <p>Source: <a href="http://en.wikipedia.org/wiki/Rsyslog" target="_blank">http://en.wikipedia.org/wiki/Rsyslog</a></p> <h1>1. Create a TCP/UDP syslog collector in LOGalyze</h1> <p>Go to Admin/Collectors. Add a new Collector with the following settings:</p> <ul> <li>DTP: socket</li> <li>DF: syslog</li> </ul> <p>Set the required socket and syslog parameters, save collector config and restart LOGalyze Engine.</p> <h1>2. Send log data wit rsyslog</h1> <h2>2.1 Send log data from file with rsyslog</h2> <p>Edit your rsyslog.conf file (usually in /etc/):</p> <pre>$ModLoad imfile $InputFileName /var/log/your.log $InputFileTag prefixtag: $InputFileStateFile stat-prefixtag $InputFileSeverity info $InputRunFileMonitor $InputFilePollInterval 10 *.* @@logalyzehost:1670 </pre> <p>Be sure to replace the <em>logalyzehost</em> and port of <em>1670</em> with the address and port that is shown under your Admin &gt; Collectors page. This configuration will make rsyslog send all of your logs from your.log to LOGalyze. If you do not like this behavior, add this first line:</p> <pre>&amp; ~ </pre> <p>If you want to send data over UDP instead of TCP (although we do recommend TCP), the last line of your rsyslog.conf edit should be:</p> <pre>*.* @logalyzehost:[PORT #] </pre> <p>The InputFileTag line tells rsyslog what to add as the tag in the log records.</p> <p>The InputFileStateFile is the file that will keep track of how much of that file you have already sent in. Make this unique for each file that you are using.</p> <p> </p> <h2>2.2 Sending syslog with rsyslog</h2> <p>To send simple syslogs to LOGalyze with rsyslog you should use the following configuration:</p> <pre># UDP<br />*.* @logalyzehost:[PORT #]</pre> <p> </p> <pre># TCP<br />*.* @@logalyzehost:[PORT #] </pre> <p>Note that # is for comments. You can use the old filters from syslog.conf instead of *.*. For example: *.info, local0.*, etc.</p> <p> </p></div> <div class="feed-description"><h1>What is rsyslog?</h1> <p>Rsyslog is an <a href="http://en.wikipedia.org/wiki/Open_source" target="_blank" title="Open source">open source</a> software utility used on <a href="http://en.wikipedia.org/wiki/UNIX" target="_blank" title="UNIX">UNIX</a> and <a href="http://en.wikipedia.org/wiki/Unix-like" target="_blank" title="Unix-like">Unix-like</a> computer systems for forwarding <a href="http://en.wikipedia.org/wiki/Data_logging" target="_blank" title="Data logging">log messages</a> in an <a href="http://en.wikipedia.org/wiki/Internet_Protocol" target="_blank" title="Internet Protocol">IP</a> <a href="http://en.wikipedia.org/wiki/Computer_Network" title="Computer Network">network</a>. It implements the basic <a href="http://en.wikipedia.org/wiki/Syslog" target="_blank" title="Syslog">syslog</a> protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using <a href="http://en.wikipedia.org/wiki/Transmission_Control_Protocol" target="_blank" title="Transmission Control Protocol">TCP</a> for transport.</p> <p>Source: <a href="http://en.wikipedia.org/wiki/Rsyslog" target="_blank">http://en.wikipedia.org/wiki/Rsyslog</a></p> <h1>1. Create a TCP/UDP syslog collector in LOGalyze</h1> <p>Go to Admin/Collectors. Add a new Collector with the following settings:</p> <ul> <li>DTP: socket</li> <li>DF: syslog</li> </ul> <p>Set the required socket and syslog parameters, save collector config and restart LOGalyze Engine.</p> <h1>2. Send log data wit rsyslog</h1> <h2>2.1 Send log data from file with rsyslog</h2> <p>Edit your rsyslog.conf file (usually in /etc/):</p> <pre>$ModLoad imfile $InputFileName /var/log/your.log $InputFileTag prefixtag: $InputFileStateFile stat-prefixtag $InputFileSeverity info $InputRunFileMonitor $InputFilePollInterval 10 *.* @@logalyzehost:1670 </pre> <p>Be sure to replace the <em>logalyzehost</em> and port of <em>1670</em> with the address and port that is shown under your Admin &gt; Collectors page. This configuration will make rsyslog send all of your logs from your.log to LOGalyze. If you do not like this behavior, add this first line:</p> <pre>&amp; ~ </pre> <p>If you want to send data over UDP instead of TCP (although we do recommend TCP), the last line of your rsyslog.conf edit should be:</p> <pre>*.* @logalyzehost:[PORT #] </pre> <p>The InputFileTag line tells rsyslog what to add as the tag in the log records.</p> <p>The InputFileStateFile is the file that will keep track of how much of that file you have already sent in. Make this unique for each file that you are using.</p> <p> </p> <h2>2.2 Sending syslog with rsyslog</h2> <p>To send simple syslogs to LOGalyze with rsyslog you should use the following configuration:</p> <pre># UDP<br />*.* @logalyzehost:[PORT #]</pre> <p> </p> <pre># TCP<br />*.* @@logalyzehost:[PORT #] </pre> <p>Note that # is for comments. You can use the old filters from syslog.conf instead of *.*. For example: *.info, local0.*, etc.</p> <p> </p></div>