Having a central syslog server is a well established best-practice for centralizing and aggregating log data from servers. This data can easily be configured to be forwarded in real time to Unomaly as described below.

You can forward log data produced by a system and its applications directly to Unomaly on the following communication port, where <unomaly-ip> is the IP address of the Unomaly instance:

<unomaly-ip>:514

If the data originates from a log aggregator, you can configure it to forward its syslog-compatible data to Unomaly on the following communication port:

<unomaly-ip>:5514

Syslog-ng server

To forward logs that are already being handled by the syslog-process, just create a new destination and a new log-directive and use the source-declarations that already exists for receiving all the incoming data from other servers.

Configuration

Edit /etc/syslog-ng.conf to add the following:

[syslog-ng.conf]
# New Unomaly destination
destination unomaly {tcp("127.0.0.1" port(5514));};

# New log directive
log { source(); destination(unomaly);};

Optional filtering

You may want to filter out certain systems to limit the data you are forwarding to Unomaly.

# Filter out only two systems
filter f_hosts { host(“testsystem1”) or host(“testsystem2”););

# New log directive with added filter
log { source(); filter(f_hosts); destination(unomaly); };

Rsyslog server

Rsyslog is a modern syslog-service available for most Unix and Linux platforms. It supports forwarding of internal and forwarded Syslog.

Configuration

Edit /etc/rsyslog.conf to add the following:

[rsyslog.conf]
# forward all logs collected  to Unomaly over tcp
*.* @@&lt;unomaly server ip&gt;:5514

Optional filtering

# Forward logs only from the system called 'testsystem'
:hostname, isequal, "testsystem" @@&lt;unomaly server ip&gt;:5514

Kiwi Syslog server

  1. Start the Kiwi Syslog Service Manager.
  2. In the File menu, select Setup.
  3. Under Rules/Actions, select “Forward to another host”.
  4. Fill in the Unomaly IP address and port 5514.
  5. Enable RFC3164.