To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
You can use this document to add a remote log collector to an Apache HTTP Server remote device (log source).
Before you begin, review the following requirements:
For remote log collection, you must have Log Relay added to your account.
- To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.
Create A Remote Log Source
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click External Sources.
- Click Log Relay Source.
- Click the plus ( + ) sign.
- If you do not have any log sources already created, then click Add a New Log Source.
- Complete the missing fields:
- In Endpoint, select the available Armor Endpoint.
- In Log Source Type, select Apache HTTP Server.
In Hostname, enter the system hostname that matches the system for syslog collection. For example, in Mar 10 08:52:55 node-77 systemd: < redacted >, the hostname would be node-77.
- The hostname is case-sensitive and must match the same letter casing as the logs that are sent into this log source.
- In Protocol, select TLS Syslog.
- Click Save Log Source.
Before you begin, ensure that the following pages are installed:
- apt-get install -y rsyslog-gnutls
- Create a directory to hold Armor pem file:
- mkdir -pv /etc/rsyslog.d/keys/ca.d
- Change to the newly created directory:
- cd /etc/rsyslog.d/keys/ca.d
- Download Armor PEM files:
- Create a file called /etc/rsyslog.d/54-nginx.conf with the template below.
- Replace access-log with FULL path of access log.
- Repeat for each access log needed.
If more than one access log file is defined, then ensure that InputFileStateFile name is unique per log file ###
- Create a file called /etc/rsyslog.d/55-armor.conf with the template below.
Replace target-name:port with the name of the configured endpoint and port.
Ensure that rsyslog configuration has no syntax errors:
service rsyslog restart
Was this helpful?