Set Up Syslog Monitoring

Syslog is a commonly used standard for logging the system event messages. The destination of these messages can include the system console, files, remote syslog servers, or relays.

Overview

Oracle Logging Analytics allows you to collect and analyze syslog data from various sources. You just need to configure the syslog output ports in the syslog servers. Oracle Logging Analytics monitors those output ports, accesses the remote syslog contents, and performs the analysis.

Syslog monitoring in Oracle Logging Analytics lets you listen to multiple hosts and ports. The protocols supported are TCP and UDP.

Overall Flow for Collecting Syslog Logs

The following are the high-level tasks for collecting log information from your host:

Create Syslog Source

Oracle Logging Analytics already provides several Oracle-defined log sources for syslog collection. Check if you can use one of the available Oracle-defined syslog sources and Oracle-defined parsers. If not, use the following steps to create a new log source:

  1. Open the navigation menu and click Observability & Management. Under Logging Analytics, click Administration. The Administration Overview page opens.

    The administration resources are listed in the left hand navigation pane under Resources. Click Sources.

  2. The Sources page opens. Click Create Source.

    This displays the Create Source dialog box.

  3. In the Name field, enter the name for the log source.

  4. From the Source Type list, select Syslog Listener.

  5. Click Entity Type and select one of the variants of Host such as Host (Linux), Host (Windows), Host (AIX), or Host (Solaris) as your entity type. This is the host on which the agent is running and collecting the logs. The syslog listener is configured to receive the syslog logs from instances that might not be running on the same host. However, the agent that's installed on the syslog listener host collects those logs for which the listener is configured to collect.

    Note

    • It is recommended that a maximum of 50 senders are sent to a single management agent or syslog. To have more senders, use more management agents.

    • You must have at least 50 file handles configured per sender in the operating system to handle all the possible incoming connections that the senders may open. This is in addition to the file handles needed on the operating system for other purposes.

  6. Click Parser and select a suitable parser.

    Typically, one of the variant parsers such as Syslog Standard Format or Syslog RFC5424 Format is used. You can also select from the Oracle-defined syslog parsers for specific network devices.

  7. In the Listener Port tab, click Add to specify the details of the listener to which Oracle Logging Analytics will listen to collect the logs.

    Enter the listener port that you specified as the output port in the syslog configuration file in the syslog server, and select either UDP or TCP (recommended for heavy traffic) as the required protocol. Ensure that the Enabled check box is selected.

    Repeat this step for adding multiple listener ports.

    The following listener ports are used in the Oracle-defined Syslog log sources:

    Oracle-defined Syslog Source Listener Port

    Palo Alto Syslog Logs

    8500

    Symantec Endpoint Protection Syslog Listener Logs

    8501

    Symantec DLP Syslog Listener Logs

    8502

    Cisco Syslog Listener Source

    8503

    QRadar LEEF Syslog Listener Source

    8504

    F5 Big IP Logs

    8505

    Juniper SRX Syslog Logs

    8506

    Citrix NetScaler Logs

    8507

    NetApp Syslog Logs

    8508

    Fortinet Syslog Logs

    8509

    ArcSight CEF Syslog Source

    8510

    Check Point Firewall LEA Syslog Logs

    8511

    Palo Alto Syslog CEF Logs

    8512

    TrendMicro Syslog Common Event Format Logs

    8513

    Symantec Endpoint Protection System Syslog Logs

    8514

    F5 Big IP ASM WAF Syslog CEF Logs

    8516

    CyberArk Syslog Common Event Format Logs

    8517

    Squid Proxy Syslog Listener Source

    8518
  8. Click Create Source.

View Syslog Data

You can use the Log Source field in the Fields panel of the Log Explorer in Oracle Logging Analytics to view syslog data.

  1. In the Oracle Logging Analytics Log Explorer, click Source in the Fields panel.
  2. In the Filter by Source dialog box, select name of the syslog source that you created, and click Apply.
Oracle Logging Analytics displays the syslog data from all the configured listener ports. You can analyze syslog data from different hosts or devices.