Linux Log Collection with Syslog

The use of is required to send log data from Linux systems to the USM Anywhere Sensor IP address over UDP on port 514, over TCP on port 601 or 602, or Transport Layer Security (TLS)-encrypted data over TCP on port 6514 or 6515.

Using Syslog to Send Logs from a Linux System

General InformationSyslog is an industry-standard message logging protocol that is used on many devices and platforms. It provides a mechanism for network devices to send event messages to a logging server, also known as a syslog server. In this case, a USM Anywhere Sensor is acting as the syslog server. USM Anywhere supports both the BSD syslog protocol (RFC 3164) and the syslog protocol (RFC 5424). For RFC 3164, USM Anywhere listens for syslog over UDP on port 514, TCP on port 601, or Transport Layer Security (TLS) on port 6514. For RFC 5424, USM Anywhere listens for syslog over TCP on port 602 or TLS on port 6515. For example, a router might send messages about users logging on to console sessions, while a web server might log access-denied events. Follow the procedure that corresponds to the Linux distribution you use.

Fedora Linux Distribution

You must have sudo privileges to complete this procedure.To send logs from Fedora Linux using syslog

On your Linux machine, open /etc/rsyslog.conf and add the following line:

*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000") # send (all) messages - Forward to the USM Anywhere Sensor IP address

Restart rsyslog:
```
sudo service rsyslog restart
```

Red Hat Enterprise Linux Distribution

You must have privileges to complete this procedure.To send logs from Red Hat Enterprise Linux using syslog

On your Linux machine, install rsyslog for RHEL-5 (installed by default for RHEL-6 and 7):
```
sudo yum install rsyslog
```
Open /etc/rsyslog.conf and add the following line to the start of the file:
```
*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
```
Where <IP> is the IP address for the USM Anywhere Sensor.

Restart rsyslog:

sudo service syslog stop (only for RHEL-5)
sudo service rsyslog restart

openSUSE Distributions

You must have privileges to complete this procedure.To send logs from openSUSE Distributions

Install rsyslogd:
```
sudo yast -i rsyslog
```
Set rsyslog as syslog server: a. Open /etc/sysconfig/syslog. b. Add the following lines:
```
SYSLOG_DAEMON=”rsyslogd”
RSYSLOGD_COMPAT_VERSION=”4″
```
c. Save it and run SuSEconfig.
On your Linux machine, open /etc/rsyslog.d/remote.conf and add the following line:
```
*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000"
```
Where <IP> is the IP address for the USM Anywhere Sensor.
Restart rsyslog:
```
sudo service rsyslog restart
```

Debian GNU/Linux and Ubuntu Distributions

SUSE Linux Enterprise 11 SP4 - 12 SP1Server Distribution

You must have privileges to complete this procedure.To send logs from SUSE Linux Enterprise Server Distribution

Install the rsyslogd package:
```
sudo yast -i rsyslog
```
Set rsyslog as syslog server by editing the following parameters in /etc/sysconfig/syslog:
```
SYSLOG_DAEMON=”rsyslogd”
RSYSLOGD_COMPAT_VERSION=”4″
```
Save the file and run SuSEconfig.

On your Linux machine, open rsyslog.d/remote.conf and add the following line:

*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

Restart rsyslog:
```
sudo rcsyslog restart
```

Solaris Distribution

You must have privileges to complete this procedure.To send logs from Solaris distributions

On your Linux machine, open /etc/syslog.conf and add the following line:
```
*.notice @<USM-Anwhere-Sensor-IP-address>
```
Important: In the foregoing command, you must tab from auth.notice to @<USM-Anwhere-Sensor-IP-address>; if you type a space the command will fail.
Stop, then restart syslog: Solaris 5.9 and earlier
```
sudo /etc/init.d/syslog stop
sudo /etc/init.d/syslog start
```
Solaris 5.10 and above
```
#sudo svcadm refresh svc:/system/system-log
```

FreeBSD Distributions

You must have privileges to complete this procedure.To send logs from FreeBSD Distributions

On your Linux machine, open /etc/syslog.conf and add the following line:

*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

Restart rsyslog:
```
sudo service syslogd restart
```

Gentoo Distributions

You must have privileges to complete this procedure.To send logs from Gentoo Distribution

On your Linux machine, open /etc/rsyslog.conf and add the following line:

*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

Restart rsyslog:
```
sudo /etc/init.d rsyslog restart
```

Arch Linux Distribution

You must have privileges to complete this procedure.To send logs from Arch Distribution

On your Linux machine, open /etc/syslog-ng/syslog-ng.conf and add the following line:

*.* action(type="omfwd" target="<IP>" port="514" protocol="udp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")

Restart rsyslog:
```
sudo systemctl start rsyslog
```

USM Anywhere™

USM Central™

Automated Policy Manager

Linux Log Collection with Syslog

Using Syslog to Send Logs from a Linux System

USM Anywhere™

USM Central™

Automated Policy Manager

​Using Syslog to Send Logs from a Linux System

Using Syslog to Send Logs from a Linux System