Overview

Using this document we will take logs from this device to our CCE and further it will go to our APE machine.

We use UDP 514 port for this.

Before configuration make sure that 514 port is open and there is reachability between CCE and this Linux device.

Steps of Configuration

Step 1: Login as root user on the server

Step 2: cd /etc should be the first command run on server, (to get inside /etc directory)

Step 3: ls to check the list, (a similar list will appear)

Step 4: cd rsyslog.d the command needs to be run next and enter

Step 5: Check the list with cmd: ls

Step 6: Now modify the changes inside the remote.conf.

Step 7: " vi remote.conf "

Note 1. Please do the following changes inside the Forwarding rule section.

Note: 2. Press" i "to insert a new line at the bottomand Assign an IP address and port for rsyslogd.

# Remote Logging using UDP.

# remote host is: name/ip:port, e.g. 192.168.0.1:514

*.* @cce-ip:514

Note 3: Uncomment the following lines in the UDP Syslog Server or TCP Syslog Server section of the configuration file.

TCP example:

$ModLoad imtcp.so
$UDPServerAddress IP1
$InputTCPServerRun PORT2

UDP example:

$ModLoad imudp.so
$UDPServerAddress IP1
$UDPServerRun PORT2

1	The IP address of the interface for `rsyslogd` to listen on. If no address is given, the daemon listens on all interfaces.
2	Port for `rsyslogd` to listen on. Select a privileged port below 1024. The default is 514.

Step 8: To save the changes press Esc then write :wq! and enter.

Step 9: Now run the following command

>>To restart services type the command

" systemctl restart rsyslog.service "

>>To check the status type the command:

" systemctl status rsyslog.service "

Verification can be done either from CCE Server or from UI.

STEP 1: Login to UI >> SYSTEM

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

“sudo tcpdump -i any host 514 and host <IP address> -AAA” command should be ran on CCE server to check wheather or not we are getting logs .