syslog-ng Integration
Overview
syslog-ng is an enhanced syslog daemon with advanced filtering and routing. KYRA MDR can receive logs from syslog-ng or use it as an intermediary forwarder for aggregating logs from multiple sources.
Prerequisites
- A KYRA MDR Collector installed and running
- syslog-ng installed on the log aggregation server
- Network connectivity from syslog-ng to the collector
- syslog-ng 3.x or 4.x
Configuration
Configure syslog-ng to forward logs:
destination d_kyra { tcp("<collector-ip>" port(514) template("$ISODATE $HOST $MSGHDR$MSG\n") );};
log { source(s_local); source(s_network); destination(d_kyra);};
# Optional: filter specific sourcesfilter f_security { facility(auth, authpriv) or level(err..emerg);};
log { source(s_network); filter(f_security); destination(d_kyra);};Restart syslog-ng:
sudo systemctl restart syslog-ngCollected Log Types
| Log Type | Description | Security Use |
|---|---|---|
| System Logs | OS and service events | Host security monitoring |
| Auth Logs | Authentication events | Access monitoring |
| Network Device | Forwarded device logs | Infrastructure monitoring |
| Application | Custom application events | Application security |
| Security Events | Filtered security events | Threat detection |
| Audit Logs | System audit trail | Compliance monitoring |
Troubleshooting
No logs forwarded: Verify configuration with syslog-ng --syntax-only.
Duplicate logs: Use syslog-ng as the single forwarding point.
Performance: Increase log-fifo-size and use disk-buffer for high-volume environments.
Contact kyra@seekerslab.com for support.