Syslog forwarding is used to send log messages to Alert Logic Log Manager. The device is then listed in the Alert Logic console at Deployments > a deployment > Configure Log Sources. Consider the following scenarios.
Note: The following information applies only to those customers with Alert Logic® Cloud Defender™ entitlements, including Threat Manager™, Log Manager™, and Web Application Firewall™.
Existing Central Syslog Server
If you already have a central syslog server, you can forward syslog traffic to a virtual or physical appliance. The image below summarizes how logs are collected with an existing central syslog server.
New Central Syslog Server
If you do not have a central syslog server already established, or you wish to have a separate collection path, you can install a virtual or physical appliance and send syslog traffic directly to the appliance. The image below summarizes how logs are collected without a central syslog server.
Note: This information and more can also be found within Alert Logic Product Documentation.
Configure Syslog for Agentless Collection
The Log Manager appliance listens for syslog data on TCP and UDP port 514. The appliance will process any syslog traffic directed to the local IP address of your appliance. The following examples apply to common Linux and Unix syslog daemons:
Configure Rsyslog - RedHat Enterprise Linux, Fedora, etc.
- Add a line to /etc/rsyslog.conf:
- TCP collection:
*.* @@IP of sensor: 514-UDP collection:
*.* @IP of sensor: 514
- Restart syslog:
Configure Syslogd - Solaris, Legacy Unix
- Add a line to /etc/syslog.conf:
*.debug @IP of sensor
- Restart syslog with one of the following commands:
svcadm restart svc:/system/system-log:default
Download and Install a Remote Collector for Agentless Collection
Utilize the Install the Remote Collector knowledge base article to install and download a remote collector.