Syslog servers

Having a central syslog server is a well established best-practice for centralizing and aggregating log data from servers. This data can easily be configured to be forwarded in real time to Unomaly as described below.

  • You can forward log data produced by a system and its applications directly to Unomaly on the following communication port, where <unomaly-ip> is the IP address of the Unomaly instance: <unomaly-ip>:514
  • If the data originates from a log aggregator, you can configure it to forward its syslog-compatible data to Unomaly on the following communication port: <unomaly-ip>:5514

Syslog-ng server

To forward logs that are already being handled by the syslog-process, just create a new destination and a new log-directive and use the source-declarations that already exists for receiving all the incoming data from other servers.

To configure the syslog-ng server:

1. Edit /etc/syslog-ng.conf to add the following:

# New Unomaly destination
destination unomaly {tcp("<UNOMALY_HOST>" port(5514));};

# New log directive
log { source(s_src); destination(unomaly);};

2. (Optional) Filter out certain systems to limit the data you are forwarding to Unomaly:

# Filter out only two systems
filter f_hosts { host(“testsystem1”) or host(“testsystem2”););

# New log directive with added filter
log { source(); filter(f_hosts); destination(unomaly); };

Rsyslog server

Rsyslog is a modern syslog-service available for most Unix and Linux platforms. It supports forwarding of internal and forwarded Syslog.

To configure the rsyslog server:

1. Edit /etc/rsyslog.conf to add the following:

# forward all logs collected to Unomaly over tcp
*.* @@<unomaly server ip>:5514

2. (Optional) Use filtering to allow only logs from certain systems:

# Forward logs only from the system called 'testsystem'
:hostname, isequal, "testsystem" @@<unomaly server ip>:5514

Kiwi syslog server

To configure the Kiwi Syslog Service Manager to forward data to Unomaly:

1. Start the Kiwi Syslog Server Manager.

2. In the File menu, select Setup.

3. Under Rules/Actions, select "Forward to another host".

4. Enter the Unomaly IP address and port 5514.

5. Enable RFC3164.