Document toolboxDocument toolbox

syslog/syslogd

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
2 min read

This article describes how to send system log data to a Devo relay using the basic syslog standard.

Earlier versions of the syslog standard protocol, including those used for MacOS X implementations, only support UDP for transport. However, later syslog versions also support TCP. Since UDP lacks congestion control mechanisms, we recommend enabling TCP for all syslog transmissions in order to prevent possible data loss during transmission.

Due to its inability to apply tags to events and to implement security, syslog should only be used to send events to a Devo In-House Relay - and wherever possible, using TCP. The relay can apply rules to tag the inbound events and forward them outbound over a secure channel to the Devo Cloud.

Edit the syslog.conf file

To send system log data to a Devo Relay using TCP, open the /etc/syslog.conf file and add the following line to the end of the file where DEVO-RELAY is the IP address or server name of the relay and PORT is the port enabled to receive the events.

To view a list of active relays, go to Administration → Relays in the Devo web application. Remember that you will have to set up a rule on the relay that will recognize the inbound events from the data source, apply the appropriate Devo tag, and forward the events to the Devo Cloud.

*.*	@@DEVO-RELAY:PORT

If the syslog version does not support TCP, then the line should contain just one at symbol (@) to specify UDP instead.

Restart syslog

After editing the configuration file, you will need to restart syslog for the changes to take effect:

/etc/init.d/syslog restart

To restart syslog on a MacOS X, use the following commands:

$ sudo launchctl unload /System/Library/LaunchDaemons/com.apple.syslogd.plist
$ sudo launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist

Test the connection

If at this point you have already set up a rule on the Devo Relay that will recognize, tag, and forward the events that it receives from this source, you can test the connection.  Use the logger command to write test messages to the system log. 

logger "Hello from machine01"
logger "Hello from machine01"
logger "Hello from machine01"
logger "Hello from machine01"
logger "Hello from machine01"

In the Devo web application, go to Data Search, locate the box.unix table and make sure that the logger messages appear in the table.

If the system has SELinux enabled in enforcing mode (run the getenforce command to check the status), it may be necessary to add exceptions to the SELinux policy. See SELinux configuration conflicts for more information.