Centralised logging mechanism

For Windows

The Windows event log can be sent to centralised log management servers using third party SyslogAgent software. This software only supports the UDP port connection. Please download the Datagram SyslogAgent for your windows machine (32, 64 bit) from this URL:

http://www.syslogserver.com/download.html

Install SyslogAgent and run the Syslog Agent Config tool as the Administrator to configure the Syslog application.

Click on Install under the Service Status section at the top.

This will create the Windows service for the Syslog Agent. The minimum configuration required is:

  • Syslog server IP and port

  • Enable the Enable forwarding of event logs check box and select the Application type.

You can choose to send events from specific Windows applications to the syslog host, even specifying the executable for the custom application. Once configuration is complete, click Start Service.

For Linux

Configure the rsyslog daemon to send IPC logs to the centralised log management server changes take effect when rsyslog is restarted.

There are the following separate instructions for Suse and CentOS Linux.

Linux

Update rsyslog.conf

  1. Edit rsyslog.conf file, generally found in the /etc/ directory, using the command below:

    sudo vi /etc/rsyslog.conf

  2. Copy the below Custom YESEFT Log configuration into the rsyslog.conf file

Note: The IP address/host name of the centralised log server should be used instead of the example address 192.168.77.8 shown below

##### Custom YESEFT Log Configuration ####

$InputFileName /var/log/YESEFT/YESEFT.log

$InputFileTag yeseft-info:

$InputFileStateFile stat-info

$InputFileSeverity info

$InputFileSeverity local3

$InputRunFileMonitor

##### Custom YESEFT Log Configuration End ####

Add Server Name And File Path:

*.* /var/log/YESEFT/YESEFT.log

*.* @192.168.77.8

  1. Add this module with other modules in the MODULES section:

    $ModLoad imfile #Addition module to monitor custom log files

  2. By default the logs will be sent to UDP port 514. If the centralised log management server is listening on a different port, the port to send to can be changed by uncommenting and updating the$UDPServerRun tag in rsyslog.conf file.

    e.g. #$UDPServerRun 514 to $UDPServerRun 515

Update 50-default.conf file

  1. Open /50-default.conf file, generally found in the /etc/ directory with:

    sudo vi /etc/rsyslog.d/50-default.conf

  2. Add this line with other log facility:

    *.*;auth,authpriv.none,local3.none -/var/log/syslog

Suse Linux

Update rsyslog.conf

  1. Edit rsyslog.conf file, generally found in the /etc/ with:

    sudo vi /etc/rsyslog.conf

  2. Copy the below Custom YESEFT Log configuration into the rsyslog.conf

Note: The IP address/host name of the centralised log server should be used instead of the example address 192.168.77.8 shown below

Cent OS

Update rsyslog.conf

  1. Edit rsyslog.conf file, generally found in the /etc/ directory with:

    sudo vi /etc/rsyslog.conf

  2. Copy the below Custom YESEFT Log configuration into the rsyslog.conf file

Note: The IP address/host name of the centralised log server should be used instead of the example address 192.168.77.8 shown below