Syslog (AERSS)
Overview
Syslog collection is configured through an existing ActiveEye Remote Security Sensor (AERSS), which resides inside a customer network.
Prerequisites
An AERSS service connector must already exist in the customer network. This AERSS service connector cannot already be associated with any Syslog service connector. Instructions for creating an AERSS service connector can be found here.
Creating the Service Connector
- In ActiveEye, in the left pane, click Admin, and then click Service Connectors.
The Service Connectors page appears.
- In the upper-left corner of the page, click Add Connector.
A list of service connectors appears.
- Scroll down to the SYSTEMS & APPLICATIONS section, and then, in the Syslog subsection, click the Add Connection button.
The Add Connector Account page appears. - In the Display Name box, enter a unique name.
- In the Parent Connector list, select the appropriate AERSS service connector that is not already associated with a Syslog service connector.
- Do not modify the value in the Timezone box unless you have received specific instructions from ActiveEye Engineering to do so.
- Click Add.
The Syslog service connector is created.
Configuring Linux Machines That Will Send Logs to AERSS
The following configuration change needs to be made on any Linux machine that will send its logs to the AERSS Syslog service connector (the target machine).
note
The Linux machine must have ryslog installed.
- Append this code block to `/etc/rsyslog.conf`
# ActiveEye forwarder
$ActionQueueFileName activeEye
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
*.* @<AERSS_IP>:514;RSYSLOG_SyslogProtocol23Format - Restart the syslog service `service rsyslog restart`, or, for systemd Linux machines, restart `systemctl restart rsyslog`.