Syslog Logging

You can enable syslog logging on Linux and Unix variant machines to send logs to different destinations, such as a syslog server or a log file. Learn more about syslog here: http://tools.ietf.org/html/rfc5424

However, you must configure your vendors and application to send logs via syslog if you want to make them available for the InsightIDR collector. You also have the option to use secure syslog, which encrypts the logs.

In addition to basic syslog logging, there are other types you can use to send data:

Configure Syslog-ng for the Collector

"Syslog-ng" is an extension of the basic syslog protocol and is an open source code. Read more about it here: http://www.balabit.com/network-security/syslog-ng

To configure Syslog-ng for the Collector if you are using vi:

  1. Navigate to the syslog-ng directory.
    • By default this is /etc/syslog-ng
  2. Open syslog-ng.conf with the command: vi syslog-ng.conf
  3. Find the line that starts with destination logserver.
  4. Press I to enter Insert mode.
  5. Change the line in the example to match the machine location and port that the Collector's event source is running on in your environment.
    • If you are using an internal DNS, use the hostname/FQDN: { udp("example101.domain.corp" port(514));};
    • If you are using DHCP, use the IP Address: { udp("10.20.30.40" port(514));};
  6. Press Esc to exit insert mode.
  7. Type :wq and press Enter to save and exit vi.

Configure rsyslog for the Collector

rsyslog, or "rocket-fast system for log processing," is an open source project with the goal of building a faster and more flexible syslog implementation. Read more about rsyslog here: https://www.rsyslog.com.

Some systems require that you configure rsyslog to send logs directly to the InsightIDR collector.

To send logs directly to the collector:

  1. As superuser, edit the file /etc/rsyslog.conf
  2. If you want to send logs using TCP, add the following line to the end of the file:
1
# Send logs to the InsightIDR Collector
2
*.* @@Collector IP:Port
  1. If you want to send logs using UDP, add the following line to the end of the file:
1
# Send logs to the InsightIDR Collector
2
*.* @Collector IP:Port
  1. In a terminal window, restart rsyslog with the following command: > sudo service rsyslog restart

Secure Syslog

Almost every event source supports Listen for Syslog as a collection method. This configuration allows you to forward log events from your event source to your Collector on a unique port, just as you would with a syslog server over a predefined port.

For any event sources that receive data over syslog, you can choose to configure Secure Syslog, which sends encrypted data using TLS (Transport Layer Security) over the TLS protocol on versions 1.1, and 1.2, as well as TCP and UDP.