Configure the Axon Agent Syslog Collector
This collector is only available through use of the Axon Agent.
For guides on collectors configured without the use of Axon Agents, refer to Collector Configuration Guides.
Add an Axon Agent Syslog Collector
Only Administrators can take this action.
- In the lower-left corner of the main screen, click the Administration cog.
The Administration menu appears on the left side. - Under Integrations, click Agents.
The Agents page appears. - In the upper-right corner, click + Add Agent Profile.
The Add Agent Profile Wizard appears. Enter the following information on the Add Basic Profile Information page.
Fields marked with an asterisk (*) are required.Option Description Operating System * Select the appropriate button for the operating system on which this agent will be deployed. Agent Profile Name * Enter a unique name for this Agent Profile. Agent Profile Description Enter an optional detailed description for this Agent Profile. Version Preferences Select the desired Axon Agent version for this profile from the drop-down menu. - Click Next.
- Enter the following information on the Additional Features page, depending on your Axon Agent version.
Fields marked with an asterisk (*) are required.Axon Agent Version 2.0.0 and Newer:
Option Description Syslog Collection Enable this toggle to enable Syslog collection. TCP Syslog Check this option to enable Syslog Collection over TCP.
At least one Syslog protocol (TCP, UDP, or TLS) must be selected.
TCP Port * Enter the port number on which you would like to listen for incoming Syslog messages over TCP. UDP Syslog Click the checkbox if you want to enable Syslog Collection over UDP.
At least one Syslog protocol (TCP, UDP, or TLS) must be selected.
UDP Port * Enter the port number on which you would like to listen for incoming Syslog messages over UDP. TLS Syslog Click the checkbox if you want to enable Syslog Collection over TLS.
At least one Syslog protocol (TCP, UDP, or TLS) must be selected.
TLS Port * Enter the port number on which you would like to listen for incoming Syslog messages over TLS.
If a TCP port is also selected, the TLS port value cannot be the same as the TCP port value.
Include Filter Enter a regular expression to filter logs you want to be sent to Axon. Exclude Filter Enter a regular expression to filter logs you want to exclude from being sent to Axon.
For more information on log filtering, see Log Filtering Examples below.
Axon Agent Version 1.2.4 and Earlier:
Option Description Syslog Collection Click the button to enable Syslog collection. Port * Enter the port number on which you would like to listen for incoming Syslog messages. Syslog Transport Protocol * Select the appropriate button for Syslog collection via UDP or TCP protocol. Include Filter Enter a regular expression to filter logs you want to be sent to Axon. Exclude Filter Enter a regular expression to filter logs you want to exclude from being sent to Axon.
For more information on log filtering, see Log Filtering Examples below.
- Click Submit to save this Agent Profile.
The Agent Profile creation is successful, and it is added to the list of Agent Profiles in Axon.
Log Filtering Examples
Log filtering occurs at the Axon Agent level. Logs which are filtered out are not searchable or indexed in LogRhythm Axon.
Include Regex Example
- Include regex: ^\d*\s\w*$
- Test string: 385 Interlocken
- This scenario would allow the log "385 Interlocken" because the regex looks for any number of digits, followed by a space, followed by any number of letters.
Exclude Regex Example
- Exclude regex: debug
- Test string: |router| 10.0.0.1 - debug log - An action has occurred
- This scenario would exclude the entire log because the word "debug" (case sensitive) appeared.
Multiple Regex Example
Usage of multiple regex in a single filter can be accomplished through use of the OR operator, '|' (pipe character):
- Example regex: mountain|tree
- Test strings:
- mountain
- tree
- The regex above will match both words "mountain" and "tree"
- This example can be extended to much more complicated regex. Use of ( ) for logical grouping is recommended.
Use of regular expression filtering may impact logging performance/throughput by an indeterminate amount. Regular Expressions which are excessively long, complex or use lookaheads/lookbehinds should be vetted for performance before usage in a filter.