How do I send Syslog messages from Ubuntu to EventSentry?

The Syslog daemon (rsyslog) on Ubuntu is configured through the /etc/rsyslog.conf configuration file. Follow the steps below to send all Syslog messages from an Ubuntu machine to EventSentry.

• Open the file /etc/rsyslog.conf in an editor.

• Add the following:

*.* @eventsentryserver:514 

• Restart the syslog daemon:

sudo service rsyslog restart 

For troubleshooting the service status can be queried for more information (for example error connecting to the syslog server) by running:

sudo service rsyslog status 

Also a text message can be generated from terminal to test connection from the linux server to our EventSentry syslog server by running:

echo "<14>Test TCP syslog message" >> /dev/tcp/[EventSentry_IP]/514 

Notes:
* rsyslog will connect by default over TCP (not UDP), double check EvenSentry configuration for the TCP port of syslog server.
* Replace "eventsentryserver" with the host name or IP address of the host where EventSentry's network services service is installed and running. We recommend that you create a CNAME record (e.g. "syslog", "log", "eventsentry") on your DNS server and use that alias in the configuration files.

It is not necessary to send all Syslog messages to EventSentry, e.g. the following lines only send critical messages to a host with the CNAME alias "eventsentry":

*.emerg   @eventsentry:514
*.alert   @eventsentry:514
*.crit    @eventsentry:514
*.err     @eventsentry:514
*.warning @eventsentry:514