Oracle Logging Analytics already provides several Oracle-defined log sources for syslog collection. Check if you can use one of the available Oracle-defined syslog sources and Oracle-defined parsers. If not, use the following steps to create a new log source:

1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Administration. The Administration Overview page opens.

   The administration resources are listed in the left hand navigation pane under Resources. Click Sources.

2. The Sources page opens. Click Create Source.

   This displays the Create Source dialog box.

3. In the Name field, enter the name for the log source.

4. From the Source Type list, select Syslog Listener.

5. Click Entity Type and select one of the variants of Host such as Host (Linux), Host (Windows), Host (AIX), or Host (Solaris) as your entity type. This is the host on which the agent is running and collecting the logs. The syslog listener is configured to receive the syslog logs from instances that might not be running on the same host. However, the agent that's installed on the syslog listener host collects those logs for which the listener is configured to collect.

   Note
   
   

   • It is recommended that a maximum of 50 senders are sent to a single management agent or syslog. To have more senders, use more management agents.

   • You must have at least 50 file handles configured per sender in the operating system to handle all the possible incoming connections that the senders may open. This is in addition to the file handles needed on the operating system for other purposes.

6. Click Parser and select a suitable parser.

   Typically, one of the variant parsers such as Syslog Standard Format or Syslog RFC5424 Format is used. You can also select from the Oracle-defined syslog parsers for specific network devices.

7. In the Listener Port tab, click Add to specify the details of the listener to which Oracle Logging Analytics will listen to collect the logs.

   Enter the listener port that you specified as the output port in the syslog configuration file in the syslog server, and select either UDP or TCP (recommended for heavy traffic) as the required protocol. Ensure that the Enabled check box is selected.

   Repeat this step for adding multiple listener ports.

   The following listener ports are used in the Oracle-defined Syslog log sources:

   Oracle-defined Syslog Source	Listener Port
   Palo Alto Syslog Logs	8500
   Symantec Endpoint Protection Syslog Listener Logs	8501
   Symantec DLP Syslog Listener Logs	8502
   Cisco Syslog Listener Source	8503
   QRadar LEEF Syslog Listener Source	8504
   F5 Big IP Logs	8505
   Juniper SRX Syslog Logs	8506
   Citrix NetScaler Logs	8507
   NetApp Syslog Logs	8508
   Fortinet Syslog Logs	8509
   ArcSight CEF Syslog Source	8510
   Check Point Firewall LEA Syslog Logs	8511
   Palo Alto Syslog CEF Logs	8512
   TrendMicro Syslog Common Event Format Logs	8513
   Symantec Endpoint Protection System Syslog Logs	8514
   F5 Big IP ASM WAF Syslog CEF Logs	8516
   CyberArk Syslog Common Event Format Logs	8517
   Squid Proxy Syslog Listener Source	8518

8. Click Create Source.

You can use the Log Source field in the Fields panel of the Log Explorer in Oracle Logging Analytics to view syslog data.

1. In the Oracle Logging Analytics Log Explorer, click Source in the Fields panel.
2. In the Filter by Source dialog box, select name of the syslog source that you created, and click Apply.