Set Up Syslog Monitoring
Syslog is a commonly used standard for logging the system event messages. The destination of these messages can include the system console, files, remote syslog servers, or relays.
Overview
Oracle Logging Analytics allows you to collect and analyze syslog data from various sources. You just need to configure the syslog output ports in the syslog servers. Oracle Logging Analytics monitors those output ports, accesses the remote syslog contents, and performs the analysis.
Syslog monitoring in Oracle Logging Analytics lets you listen to multiple hosts and ports. The protocols supported are TCP and UDP.
Overall Flow for Collecting Syslog Logs
The following are the high-level tasks for collecting log information from your host:
-
Install Management Agents on your syslog listener. See Set Up Continuous Log Collection From Your Hosts.
The syslog listener is configured to receive the syslog logs from instances that might not be running on the same host. However, the agent that's installed on the syslog listener host collects those logs for which the listener is configured to collect.
-
Create the syslog entity. See Create an Entity to Represent Your Log-Emitting Resource.
-
Associate the syslog entity with the source. See Configure New Source-Entity Association.
Create Syslog Source
Oracle Logging Analytics already provides several Oracle-defined log sources for syslog collection. Check if you can use one of the available Oracle-defined syslog sources and Oracle-defined parsers. If not, use the following steps to create a new log source:
-
Open the navigation menu and click Observability & Management. Under Logging Analytics, click Administration. The Administration Overview page opens.
The administration resources are listed in the left hand navigation pane under Resources. Click Sources.
-
The Sources page opens. Click Create Source.
This displays the Create Source dialog box.
-
In the Name field, enter the name for the log source.
-
From the Source Type list, select Syslog Listener.
-
Click Entity Type and select one of the variants of Host such as
Host (Linux)
,Host (Windows)
,Host (AIX)
, orHost (Solaris)
as your entity type. This is the host on which the agent is running and collecting the logs. The syslog listener is configured to receive the syslog logs from instances that might not be running on the same host. However, the agent that's installed on the syslog listener host collects those logs for which the listener is configured to collect.Note
-
It is recommended that a maximum of 50 senders are sent to a single management agent or syslog. To have more senders, use more management agents.
-
You must have at least 50 file handles configured per sender in the operating system to handle all the possible incoming connections that the senders may open. This is in addition to the file handles needed on the operating system for other purposes.
-
-
Click Parser and select a suitable parser.
Typically, one of the variant parsers such as
Syslog Standard Format
orSyslog RFC5424 Format
is used. You can also select from the Oracle-defined syslog parsers for specific network devices. -
In the Listener Port tab, click Add to specify the details of the listener to which Oracle Logging Analytics will listen to collect the logs.
Enter the listener port that you specified as the output port in the syslog configuration file in the syslog server, and select either UDP or TCP (recommended for heavy traffic) as the required protocol. Ensure that the Enabled check box is selected.
Repeat this step for adding multiple listener ports.
The following listener ports are used in the Oracle-defined Syslog log sources:
Oracle-defined Syslog Source Listener Port Palo Alto Syslog Logs
8500
Symantec Endpoint Protection Syslog Listener Logs
8501
Symantec DLP Syslog Listener Logs
8502
Cisco Syslog Listener Source
8503
QRadar LEEF Syslog Listener Source
8504
F5 Big IP Logs
8505
Juniper SRX Syslog Logs
8506
Citrix NetScaler Logs
8507
NetApp Syslog Logs
8508
Fortinet Syslog Logs
8509
ArcSight CEF Syslog Source
8510
Check Point Firewall LEA Syslog Logs
8511
Palo Alto Syslog CEF Logs
8512
TrendMicro Syslog Common Event Format Logs
8513
Symantec Endpoint Protection System Syslog Logs
8514
F5 Big IP ASM WAF Syslog CEF Logs
8516
CyberArk Syslog Common Event Format Logs
8517
Squid Proxy Syslog Listener Source
8518
-
Click Create Source.
View Syslog Data
You can use the Log Source field in the Fields panel of the Log Explorer in Oracle Logging Analytics to view syslog data.
- In the Oracle Logging Analytics Log Explorer, click Source in the Fields panel.
- In the Filter by Source dialog box, select name of the syslog source that you created, and click Apply.