Syslog servers
Having a central syslog server is a well established best-practice for centralizing and aggregating log data from servers. This data can easily be configured to be forwarded in real time to Unomaly as described below.
- You can forward log data produced by a system and its applications directly to Unomaly on the following communication port, where <unomaly-ip> is the IP address of the Unomaly instance: <unomaly-ip>:514
- If the data originates from a log aggregator, you can configure it to forward its syslog-compatible data to Unomaly on the following communication port: <unomaly-ip>:5514
Syslog-ng server
To forward logs that are already being handled by the syslog-process, just create a new destination and a new log-directive and use the source-declarations that already exists for receiving all the incoming data from other servers.
To configure the syslog-ng server:
1. Edit /etc/syslog-ng.conf to add the following:
[syslog-ng.conf]
# New Unomaly destination
destination unomaly {tcp("<UNOMALY_HOST>" port(5514));};
# New log directive
log { source(s_src); destination(unomaly);};
2. (Optional) Filter out certain systems to limit the data you are forwarding to Unomaly:
# Filter out only two systems
filter f_hosts { host(“testsystem1”) or host(“testsystem2”););
# New log directive with added filter
log { source(); filter(f_hosts); destination(unomaly); };
Rsyslog server
Rsyslog is a modern syslog-service available for most Unix and Linux platforms. It supports forwarding of internal and forwarded Syslog.
To configure the rsyslog server:
1. Edit /etc/rsyslog.conf to add the following:
[rsyslog.conf]
# forward all logs collected to Unomaly over tcp
*.* @@<unomaly server ip>:5514
2. (Optional) Use filtering to allow only logs from certain systems:
# Forward logs only from the system called 'testsystem'
:hostname, isequal, "testsystem" @@<unomaly server ip>:5514