Versions Compared

Old Version 4

changes.mady.by.user Former user

Saved on

compared with

New Version 5

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
maxLevel2
minLevel2
typeflat

This article describes how to manually configure syslog-ng to send events to Devo using an encrypted and authenticated channel. This is the recommended procedure when you want to forward events over the internet, directly to the Devo Cloud.

...

The security certificates need to be saved to the local machine in order to reference them in the syslog-ng configuration file later.

  1. Go to Administration → Credentials → X.509 Certificates in the Devo web application.
    - Download the Certificate and Private key to /etc/syslog-ng/key.d/. 
    - Download the Chain CA to /etc/syslog-ng/ca.d/.

  2. Limit the permissions to the Certificate and Private key files in /etc/syslog-ng/key.d/ using this command:

    Code Block
    cd /etc/syslog-ng/key.d/; chmod 600 domain.crt domain.key
 
-rw------- 1 root root 1529 Oct 24 13:18 domain.crt
-rw------- 1 root root 1675 Oct 24 13:18 domain.key


Edit the syslog-ng.conf file

In this step we define the Devo Cloud endpoint as a new destination in the syslog-ng configuration.

Open the /etc/syslog-ng/syslog-ng.conf file and configure the new Devo Cloud destination as shown below:

Code Block
themeRDark
destination d_ssl_devo_unix {
	
        tcp("collector-xxx.devo.io" port(443)
    template("<$PRI>$DATE $HOST box.unix.$PROGRAM: $MESSAGE\n")
        tls(
                ca_dir("/etc/syslog-ng/cachain.dcrt")
         key_file("/etc/syslog-ng/key.d/domain.key")

        cert_file("/etc/syslog-ng/key.d/domain.crt")
         peer_verify(required-untrusted))  persist-name("xxUniqueNameInThisConfigForThisDestinationxx")
     );
};

In the destination, you will notice that the template assigns box.unix as the first two tag levels for all system log events.

Info
title

Preventing event loss

To prevent event lost, we recommend you add the option
options {
    mark-freq (30);
};

...

This is an example of syslog-ng.conf configured to securely send operating system logs and internal syslog-ng logs to the Devo Cloud while applying box.unix as the first two tag levels:

...

...

/etc/syslog-ng/syslog-ng.conf
Code Block
options {
mark-freq (30);
};
source s_src {
       system();
       internal();
};
destination d_ssl_devo_unix {
	tcp("collector-xx.devo.io" port(443)
    template("<$PRI>$DATE $HOST box.unix.$PROGRAM: $MESSAGE\n")
	tls( 
		ca_dir("/etc/syslog-ng/ca.d")
        key_file("/etc/syslog-ng/key.d/domain.key")
        cert_file("/etc/syslog-ng/key.d/domain.crt")
        peer_verify(required-untrusted))
     );
};
log { source(s_src); destination(d_ssl_devo_unix); };

This is an example of syslog-ng.conf configured to securely send four different Apache logs to the Devo Cloud:

...

...

File /etc/rsyslog.d/45-apache.conf monitoring example
Code Block
# APACHE ACCESS LOG
source s_apache_access {
    file("/var/log/apache2/access.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_access {
	tcp("collector-xx.devo.io" port(443)
    template("<$PRI>$DATE $HOST web.apache.access-combined.pro.webFoobar.www1: $MESSAGE\n")
    tls( 
        ca_dir("/etc/syslog-ng/ca.d")
        key_file("/etc/syslog-ng/key.d/client.key")
        cert_file("/etc/syslog-ng/key.d/client.crt")
        peer_verify(required-untrusted))
	);
};
log { source(s_apache_access); destination(d_devo_apache_access); };
  
# APACHE SSL ACCESS LOG
source s_apache_ssl_access {
    file("/var/log/apache2/ssl_access.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_ssl_access {
	tcp("collector-xx.devo.io" port(443)
    template("<$PRI>$DATE $HOST web.apache.access-combined.pro.webFoobar-ssl.www1: $MESSAGE\n")
    tls( 
        ca_dir("/etc/syslog-ng/ca.d")
        key_file("/etc/syslog-ng/key.d/domain.key")
        cert_file("/etc/syslog-ng/key.d/domain.crt")
        peer_verify(required-untrusted))
	);
};
log { source(s_apache_ssl_access); destination(d_devo_apache_ssl_access); };
  
# APACHE ERROR LOG
source s_apache_error {
    file("/var/log/apache2/error.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_error {
	tcp("collector-xx.devo.io" port(443)
    template("<$PRI>$DATE $HOST web.apache.error.pro.webFoobar.www1: $MESSAGE\n")
    tls( 
        ca_dir("/etc/syslog-ng/ca.d")
        key_file("/etc/syslog-ng/key.d/domain.key")
        cert_file("/etc/syslog-ng/key.d/domain.crt")
        peer_verify(required-untrusted))
	);
};
log { source(s_apache_error); destination(d_devo_apache_error); };
  
# APACHE SSL ERROR LOG
source s_apache_ssl_error {
    file("/var/log/apache2/ssl_error.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_ssl_error {
	tcp("collector-xx.devo.io" port(443)
    template("<$PRI>$DATE $HOST web.apache.error.pro.webFoobar-ssl.www1: $MESSAGE\n")
    tls( 
        ca_dir("/etc/syslog-ng/ca.d")
        key_file("/etc/syslog-ng/key.d/domain.key")
        cert_file("/etc/syslog-ng/key.d/domain.crt")
        peer_verify(required-untrusted))
	);
};
log { source(s_apache_ssl_error); destination(d_devo_apache_ssl_error); };