Syslog-ng

Syslog-ng is an open source implementation of syslog. You can use syslog-ng to monitor log files on your servers and forward them to InsightOps. We support two methods of forwarding rsyslog events to InsightOps, which are explained below. We recommend using our Token-based input method which brings additional security and is independent of the actual source IP address.

basic

Token TCP

To add a new log into the InsightOps UI:

  1. Select Manual Configuration in Add data.
  2. Select Quick Add.
  3. Once you have created the log you will recieve a TOKEN UUID. It will be found under the form and beside the log name in the list of logs.
  4. Enter this token in the template section of the sample configuration.
  5. Change REGION to your set location.

Stating your Region

REGION is the data center where your InsightOps account is located, for example eu or us.

  1. Copy the full configuration to your syslog-ng config file at /etc/syslog-ng/syslog-ng.conf
1
template InsightOpsFormat {
2
template("TOKEN_HERE $ISODATE $HOST $MSG\n"); template_escape(no);
3
};
4
5
source s_all {
6
internal();
7
unix-stream("/var/log/error.log");
8
};
9
10
destination d_network_logentries {
11
tcp("REGION.data.logs.insight.rapid7.com" port(80) template(InsightOpsFormat));
12
};
13
14
log {
15
source(s_all); destination(d_network_logentries);
16
};
basic

Secure Logging

To send your logs over SSL, configure your config as shown in this sample:

1
template InsightOpsFormat {
2
template("TOKEN_HERE $ISODATE $HOST $MSG\n"); template_escape(no);
3
};
4
destination logentries {
5
network("REGION.data.logs.insight.rapid7.com" port(443) template(InsightOpsFormat) transport("tls") tls( ca-dir("/etc/ssl/certs/")));
6
};
7
8
log {
9
source(s_local); destination(d_network_logentries);
10
};
basic

Plain TCP/UDP Forwarding

If you prefer a more basic syslog approach, we support Plain TCP/UDP Forwarding.

To add a new log in the InsightOps UI:

  1. Select Manual Configuration in Add a Log.
  2. Select Plain TCP/UDP.
  3. Locate your PORT number.
  4. Enter this PORT number in the destination section of the sample configuration.
  5. Change REGION to your set location.
  6. Copy the full configuration to your syslog-ng configuration file at /etc/syslog-ng/etc/syslog-ng.conf
1
source s_all {
2
internal();
3
unix-stream("/var/log/error.log");
4
};
5
destination d_logentries {
6
tcp("REGION.data.logs.insight.rapid7.com" port(PORT));
7
};
8
log {
9
source(s_all); destination(d_logentries);
10
};

Restart

To restart your syslog-ng server enter the command:

1
sudo service syslog-ng restart
basic

Required in Syslog-ng 3.0+ configuration file

Every syslog-ng configuration file must begin with a line containing the version information of syslog-ng. Here is an example of the opening line for syslog-ng version 3.6:

1
@version: 3.6

Versioning the configuration file was introduced in syslog-ng 3.0. If the configuration file does not contain the version information, syslog-ng assumes that the file is for syslog-ng version 2.x. This interprets the configuration and sends warnings about the parts of the configuration that should be updated. Version 3.0 and later will correctly operate with configuration files of version 2.x, but the default values of certain parameters have changed since 3.0. Further information regarding this requirement may be found on the One Identity website: http://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html-single/index.html