Rsyslogd

Please see below on how to configure Rsyslog to send to LOGIQ server. Rsyslog can send data to LOGIQ using either TCP transport or RELP transport. The RELP module for Rsyslog is called omrelp and for the TCP forward is called omfwd
LOGIQ strongly recommends sending data using the RELP transport to ensure packets are not lost or dropped. RELP relies on acknowledgements from the receiver to make sure packet is delivered. LOGIQ, for its part only sends the acknowledgements back once the data is written to persistent store.
Using omfwd
Update the syslog config in /etc/rsyslog.conf or /etc/rsyslog.d/50-default.conf
1
*.* action(type="omfwd"
2
           queue.type="LinkedList"
3
           action.resumeRetryCount="-1"
4
           queue.size="10000"
5
           queue.saveonshutdown="on"
6
           target="logiq-server-syslog-host" Port="514" Protocol="tcp"
7
           )
Copied!
Using omrelp
Installation rsyslog RELP modules
rsyslog is installed by default in most modern OS's, rsyslog needs the omrelp module to send data to a RELP aware endpoint such as LOGIQ. To enable RELP install packages listed below
rsyslog-relp, enables RELP protocol for rsyslog
rsyslog-gnutls, enables rsyslog to communicate over a secure socket
1
sudo apt update
2
sudo apt install rsyslog-gnutls rsyslog-relp
Copied!
For Redhat/CentOS/Fedora, use yum to install
1
yum install rsyslog-gnutls rsyslog-relp
Copied!
Configuring rsyslog (TLS)
Update the syslog config in /etc/rsyslog.conf or /etc/rsyslog.d/50-default.conf
1
module(load="omrelp")
2
action(type="omrelp" 
3
        target="logiq-server-relp-host" 
4
        port="2514" 
5
        tls="on" 
6
        tls.caCert="/etc/ssl/LOGIQ/certs/LOGIQ.crt" 
7
        tls.myCert="/etc/ssl/LOGIQ/certs/client.crt" 
8
        tls.myPrivKey="/etc/ssl/LOGIQ/certs/client.key" 
9
        tls.authMode="fingerprint"
10
        tls.PermittedPeer=["SHA1:BF:46:AB:9F:A3:77:46:AF:6B:D2:EC:A4:30:72:F1:CC:0E:17:C9:42"]
11
        action.reportSuspensionContinuation="on"
12
        action.resumeRetryCount="-1"
13
        action.resumeInterval="1"
14
        action.resumeIntervalMax="1"
15
        queue.type="LinkedList"
16
        queue.size="250000"
17
        queue.dequeueBatchSize="4096"
18
        queue.workerThreads="10"
19
        queue.workerThreadMinimumMessages="25000"
20
)
Copied!
NOTE: Change "target", "port", tls.caCert" , "tls.myCert", "tls.myPrivKey", "tls.PermitterPeer" above to suit your configuration. For non TLS config, set "tls" parameter as "off" and remove all tls.* parameters from above config file. E.g. of target=ec2-34-213-110-235.us-west-2.compute.amazonaws.com
Configuring rsyslog (non-TLS)
Update the syslog config in /etc/rsyslog.conf or /etc/rsyslog.d/50-default.conf
Rsyslog non-TLS uses port 20514 vs TLS which uses port 2514
1
module(load="omrelp")
2
action(type="omrelp" 
3
        target="logiq-server-relp-host" 
4
        port="20514" 
5
        tls="off" 
6
        action.reportSuspensionContinuation="on"
7
        action.resumeRetryCount="-1"
8
        action.resumeInterval="1"
9
        action.resumeIntervalMax="1"
10
        queue.type="LinkedList"
11
        queue.size="25000"
12
        queue.dequeueBatchSize="1024"
13
        queue.workerThreads="4"
14
        queue.workerThreadMinimumMessages="60000"
15
        queue.saveOnShutdown="on"
16
        queue.timeoutEnqueue="10"
17
​
18
)
Copied!

INTEGRATIONS - Previous

Open Telemetry

Next - INTEGRATIONS

Palo Alto Firewall

Last modified 7mo ago

Export as PDF

Copy link

Contents

Using omfwd

Using omrelp