Configure the Axon Agent Syslog Collector

This collector is only available through use of the Axon Agent.

For guides on collectors configured without the use of Axon Agents, refer to Collector Configuration Guides.

Add an Axon Agent Syslog Collector

Only Administrators can take this action.

1. In the lower-left corner of the main screen, click the Administration cog.
   The Administration menu appears on the left side.
2. Under Integrations, click Agents.
   The Agents page appears.
3. In the upper-right corner, click + Add Agent Profile.
   The Add Agent Profile Wizard appears.

4. Enter the following information on the Add Basic Profile Information page.
   Fields marked with an asterisk (*) are required.

   Option	Description
   Operating System *	Select the appropriate button for the operating system on which this agent will be deployed.
   Agent Profile Name *	Enter a unique name for this Agent Profile.
   Agent Profile Description	Enter an optional detailed description for this Agent Profile.
   Version Preferences	Select the desired Axon Agent version for this profile from the drop-down menu.

5. Click Next.
6. Enter the following information on the Additional Features page, depending on your Axon Agent version.
   Fields marked with an asterisk (*) are required.

   1. Axon Agent Version 2.0.0 and Newer:

      Option	Description
      Syslog Collection	Enable this toggle to enable Syslog collection.
      TCP Syslog	Check this option to enable Syslog Collection over TCP. At least one Syslog protocol (TCP, UDP, or TLS) must be selected.
      	TCP Port *	Enter the port number on which you would like to listen for incoming Syslog messages over TCP.
      UDP Syslog	Click the checkbox if you want to enable Syslog Collection over UDP. At least one Syslog protocol (TCP, UDP, or TLS) must be selected.
      	UDP Port *	Enter the port number on which you would like to listen for incoming Syslog messages over UDP.
      TLS Syslog	Click the checkbox if you want to enable Syslog Collection over TLS. At least one Syslog protocol (TCP, UDP, or TLS) must be selected.
      	TLS Port *	Enter the port number on which you would like to listen for incoming Syslog messages over TLS. If a TCP port is also selected, the TLS port value cannot be the same as the TCP port value.
      Log Level *	Enter the logging level at which you would like the Syslog collector to write to the td-agent.log file. The following are valid log level values, from least to most verbose:  fatal error warn info debug trace For more information on log levels, see https://docs.fluentd.org/deployment/logging#log-level
      Include Filter	Enter a regular expression to filter logs you want to be sent to Axon.
      Exclude Filter	Enter a regular expression to filter logs you want to exclude from being sent to Axon. For more information on log filtering, see Log Filtering Examples below.

   2. Axon Agent Version 1.2.4 and Earlier:

      Option	Description
      Syslog Collection	Click the button to enable Syslog collection.
      Port *	Enter the port number on which you would like to listen for incoming Syslog messages.
      Syslog Transport Protocol *	Select the appropriate button for Syslog collection via UDP or TCP protocol.
      Log Level *	Enter the logging level at which you would like the Syslog collector to write to the td-agent.log file. The following are valid log level values, from least to most verbose:  fatal error warn info debug trace For more information on log levels, see https://docs.fluentd.org/deployment/logging#log-level
      Include Filter	Enter a regular expression to filter logs you want to be sent to Axon.
      Exclude Filter	Enter a regular expression to filter logs you want to exclude from being sent to Axon. For more information on log filtering, see Log Filtering Examples below.

7. Click Submit to save this Agent Profile.
   The Agent Profile creation is successful, and it is added to the list of Agent Profiles in Axon.

Log Filtering Examples

Log filtering occurs at the Axon Agent level.  Logs which are filtered out are not searchable or indexed in LogRhythm Axon.

Include Regex Example

• Include regex: ^\d*\s\w*$
• Test string: 385 Interlocken
• This scenario would allow the log "385 Interlocken" because the regex looks for any number of digits, followed by a space, followed by any number of letters.

Exclude Regex Example

• Exclude regex: debug
• Test string: |router| 10.0.0.1 - debug log - An action has occurred
• This scenario would exclude the entire log because the word "debug" (case sensitive) appeared.

Multiple Regex Example

Usage of multiple regex in a single filter can be accomplished through use of the OR operator, '|' (pipe character):

• Example regex: mountain|tree
• Test strings:
  • mountain
  • tree
• The regex above will match both words "mountain" and "tree"
• This example can be extended to much more complicated regex.  Use of ( ) for logical grouping is recommended.

Use of regular expression filtering may impact logging performance/throughput by an indeterminate amount.  Regular Expressions which are excessively long, complex or use lookaheads/lookbehinds should be vetted for performance before usage in a filter.