Like other forms of raw data, Generic Syslog contextualizes information in InsightIDR and assets and makes it available for log search.
You must use the RFC3164 (BSD) Syslog Header.
The Generic Syslog Event Source ONLY accepts data which begins with RFC3164 (BSD) Syslog Header. Logs sent using a different syslog header will not be parsed.
If your desired event source cannot send logs with this version of syslog header, then you can use the Custom Logs event source type, which will ingest the logs as a string without attempting to parse the contents by header and body values.
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Raw Data” section, click the Generic Syslog icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Select Save.
When parsing with the RFC3164 (BSD) syslog header, make sure to look for this specific configuration in the logs:
<133>Feb 25 14:09:07 webserver syslogd: restart
The message corresponds to the following format:
<priority>timestamp hostname application: message
You can read additional information on RFC3164 (BSD) Syslog Header, the BSD syslog protocol, here: https://www.ietf.org/rfc/rfc3164.txt
Use information from the following sections to help you resolve your issues:
- Generic Syslog Errors
- Generic Syslog Troubleshooting
Sometimes during setup, these logs lack the proper syslog headers and the logs will not be ingested.
If you do not see the data after setup, either add the standard syslog headers. If that does not work, use them as custom logs.
Updated about a year ago