Custom Syslog Configuration
The default NetProfiler syslog configuration (set on the Administration > General Setting page) uses the UDP protocol without encryption. Due to the many possible syslog encryption configurations, NetProfiler also supports providing custom rsyslog-style configuration files.
Installing a Custom Syslog Configuration File
- SSH to the UI or Base module using the "mazu" account and create folders for the configuration and certificates (optional):
[mazu@netprofiler ~]$ mkdir /usr/mazu/conf/rsyslog.d
[mazu@netprofiler ~]$ mkdir /opt/cascade/vault/rsyslog #optional - Copy one or more custom rsyslog style configuration files into the /usr/mazu/conf/rsyslog.d folder.
- Copy one or more certificates into the /opt/cascade/vault/rsyslog file. (optional)
- Restart the NetProfiler or Flow Gateway services.
[mazu@netprofiler ~]$ sudo systemctl restart netprofiler # NetProfiler
[mazu@flowgateway ~]$ sudo systemctl restart flowgateway # Gateway
To reverse the configuration, remove the files and restart services. Doing a backup of the NetProfiler configuration will also backup the custom syslog configurations.
Example Syslog Configuration File
The following example configuration file will set up syslog to use TCP/6514 and TLS encryption when forwarding Audit Records (local4.*) and Events (local3.*) to the server 192.168.1.100:
$DefaultNetstreamDriverCAFile /opt/cascade/vault/rsyslog/ca.pem
# make gtls driver the default
$DefaultNetStreamDriver gtls
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode anon
local4.* @@192.168.1.100:6514
local3.* @@192.168.1.100:6514
This an example of a typical configuration for using TLS encrypted syslog over TCP. For additional configuration options, refer to the documentation for your syslog server and/or the rsyslog client on NetProfiler