Close
logodocs

Logging Scenario - Logging with Rsyslog

Scenario: You want to deliver your logs via TCP/syslog to a logging service on a server with Rsyslog. You can do this through your Gateway/Relay server with a little setup.

As with all Gateway/Relay logs, the logs stored on the Gateway/Relay will not include Admin UI activities, which can be accessed via the sdm audit activities command.

  1. On the logging server (i.e., the target/destination to which the logs will be written), edit the /etc/rsyslog.conf file and add the following lines:

    #Provides TCP syslog reception
    $ModLoad imtcp
    $InputTCPServerRun 514
    # You can optionally use $InputTCPMaxSessions to specify a maximum amount of connections
    # $InputTCPMaxSessions 500
    # Sets up logging so that the hostname and program name are visible in order to better parse logs for sdm.
    $template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
    *.* ?RemoteLogs
    & ~
  2. On the logging client (the Gateway/Relay server), edit /etc/rsyslog.d/loghost.conf and add the IP address of the logging server (the target server, not the Gateway/Relay) along with the port it is listening on:

    *.* @@192.168.1.150:518
  3. On the Admin UI > Settings page, select Log Encryption & Storage, select Log locally on relays, and then under Local storage select syslog. Add the IP address of the logging server along with the port it is listening on:

    192.168.1.150:518

Now you have configured strongDM to send logs to your Gateway/Relay server and then deliver them to another target service. Try it out, and feel free to contact support with any questions.

Installation — Previous
Logging Scenario - Send Local Logs to Graylog
Next — Installation
Logging Scenario - Send Local Logs to a Splunk Indexer