TABLE OF CONTENTS

• Overview
• Steps of Configuration
• Verification
  • Using the UI
  • Using the CCE Server

Overview

Follow the directions in this document to take SUSE Linux Server Logs to our CCE and APE machines using the UDP 514 port.

Before beginning configuration, make sure that 514 port is open and there is reachability between the CCE and this Linux device.

Steps of Configuration

1. Login as the root user on the server.
   
2. Run the following command to get inside the /etc directory:
   # cd /etc
3. Run the list command:
   # ls
4. Run the following command:
   # cd rsyslog.d
5. Run the list command again:
   # ls
6. Now modify the changes inside the remote.conf file using this command:
   # vi remote.conf
   • Note: Please do the following steps inside the Forwarding Rule section.
   • Note 2: Press "i" to insert a new line at the bottom and assign an IP address and port for rsyslogd.
     # Remote Logging using UDP.
     # remote host is: name/ip:port, e.g. 192.168.0.1:514
     *.* @cce-ip:514
   • Note 3: Uncomment the following lines in the UDP Syslog Server or TCP Syslog Server section of the configuration file.
     TCP example:
     $ModLoad imtcp.so $UDPServerAddress IP1
     $InputTCPServerRun PORT2
     UDP example:
     $ModLoad imudp.so $UDPServerAddress IP1
     $UDPServerRun PORT2
7. To save the changes, press Esc then write :wq! and enter.
8. Now run the following commands: 
   1. To restart services:
      # systemctl restart rsyslog.service
   2. To check  the status type the command:  
      # systemctl status rsyslog.service

Verification

Verification can be done either from the CCE Server or from the UI.

Using the UI

1. Login to the UI > System.
   
2. Go to Log/Flow Collection Status.
   
3. Under Source Device IP Addres(es), the IP address will be displayed.
   

Using the CCE Server

Run the following command to check whether logs are being received.

sudo tcpdump -i any host 514 and host <IP address> -AAA