Configure Nxlog and Rsyslog to Send Logs to SOCaaP Server
- SOCaaP features agent-less log collection from Windows/Linux endpoints connected to customers' networks.
- This is achieved through the Nxlog and Rsyslog utilities. The NXLOG utility (for Windows) and the RSYSLOG utility (for Linux) need to be configured to send logs to the SOCaaP server.
SOCaaP provides ready-made configuration script files for each customer's /network/zone which can be downloaded from the respective 'Customer Details' page. Once connected, the SOCaaP will be able to receive and store logs from the customer's endpoints and web-servers.
The following sections explain more about:
Administrators can download a specific customer's NXLOG configuration file from the administrative console and use this to configure the NXLOG utility installed on Windows endpoints and web-servers connected to the customer's network. Please make sure NXLOG utility is installed on the machine which is to be configured to send logs to SOCaaP.
To download the NXLOG Configuration File
- Open the 'Asset Management' interface by clicking the 'Menu' button, then 'Assets' > 'Asset Management'.
- Select the customer from the left hand side pane.
The 'Customer Details' pane will open at the right.
- Click 'Manage' at the bottom left of the right pane and choose the 'Hard Assets' tab.
- Choose the network/zone you wish to configure from the right hand side pane and click the button in the row of the network/zone.
The authentication token, the authentication key and the download buttons for the NXLOG and RSYSLOG configuration script files for the selected network/zone will be displayed at the bottom of the right pane.
- Click the NXLOG configuration file download button as shown in the screenshot below and save the file:
- Replace the NXLOG configuration file at the location C:/Program Files (x86)/nxlog/conf/nxlog.conf or C:/Program Files/nxlog/conf/nxlog.conf in the endpointswebservers with the downloaded configuration file.
All settings in the configuration file including network token for the selected network/zone are pre-configured and will instruct the NXLOG utility to send logs to the SOCaaP server. SOCaaP will receive and store the logs under the respective customer/network for monitoring and incident reporting.
- You can download a pre-configured RSYSLOG config script from the admin console. Each script is generated for a specific customer/network.
- The script will configure RSYSLOG utilities installed on Linux machines to send logs to the SOCaaP.
- Please make sure the RSYSLOG utility is installed on the target machine.
To download the RSYSLOG Configuration File
- Open the 'Asset Management' interface by clicking the 'Menu' button, then 'Assets' > 'Asset Management'.
- Select a customer from the left hand pane.
The 'Customer Details' pane will open at the right.
- Click 'Manage' at the bottom left of the right pane and choose the 'Hard Assets' tab.
- Choose the network/zone whose endpoints are to be configured, from the right hand side pane and click the button in the row of the network/zone.
The authentication token, the authentication key and the download buttons for the NXLOG and RSYSLOG configuration script files for the selected network/zone will be displayed at the bottom of the right pane.
- Click the RSYSLOG configuration file download button as shown below and save the file.
- Run the script file on all required endpoints.
The script will configure the RSYSLOG utility to send logs to SOCaaP. SOCaaP will receive and store the logs under the respective customer/network for monitoring and incident reporting.
Alternatively, you can download the script file for configuring the RSYSLOG utility from 'Administration' > 'Event Collection' interface, manually enter the parameters for the customer network to be monitored and run the script at the endpoints. See Event Collection for more details.
- In addition to event log collection, SOCaaP is capable of collecting log information from ITarian Network Monitoring Sensors.
- These sensors listen on the customer's network using span/tap technologies.
- Sensor deployment is customized according to a customers network topology. Please contact ITarian to arrange sensor deployment.