Logging and Alerting with syslog-ng on Expel: A Step-by-Step Guide

8 August 2024

Configuring syslog-ng for Logging on Expel

Expel is a powerful platform for security information and event management (SIEM). One of its key features is the ability to integrate with various log sources, including syslog-ng. In this article, we will explore how to configure syslog-ng for logging and alerting on Expel.

Prerequisites

Before you begin, make sure you have the following:

An Expel account with syslogging enabled
A syslog-ng server set up and configured to send logs to Expel
Familiarity with syslog-ng configuration files

Step 1: Configure syslog-ng to Send Logs to Expel

To start, you need to configure syslog-ng to send logs to your Expel instance. This is typically done by modifying the syslog-ng.conf file. Add the following lines to specify the Expel log destination:

source s_expel {
  tcp(localhost:514) use_dns(no);
};
destination d_expel {
  udp(" expel_instance_ip" port(514));
};

Replace expel_instance_ip with the actual IP address of your Expel instance.

Step 2: Configure syslog-ng to Filter and Parse Logs

Next, you need to configure syslog-ng to filter and parse the logs sent from your syslog-ng server. This is typically done by modifying the filter.conf file. Add the following lines to specify the log filtering criteria:

filter f_expel {
  facility(local0);
};

This will filter logs with a facility of local0.

Step 3: Configure syslog-ng to Send Alerts to Expel

To send alerts from syslog-ng to Expel, you need to configure the actions.conf file. Add the following lines to specify the alert destination:

action a_expel {
  syslog("expel_instance_ip" port(514) protocol(udp));
};

Replace expel_instance_ip with the actual IP address of your Expel instance.

Conclusion

Configuring syslog-ng for logging and alerting on Expel is a straightforward process. By following these steps, you can ensure that logs from your syslog-ng server are sent to your Expel instance for filtering, parsing, and alerting. Remember to replace expel_instance_ip with the actual IP address of your Expel instance throughout the configuration files.

Example Use Case

Suppose you have a network device sending logs to a syslog-ng server. You want to configure syslog-ng to send these logs to your Expel instance for filtering, parsing, and alerting. By following the steps outlined in this article, you can ensure that these logs are sent to your Expel instance for analysis and alerting.

Tips and Variations

Make sure to update the syslog-ng.conf file with the correct IP address of your Expel instance.
You can modify the log filtering criteria in the filter.conf file to suit your specific needs.
If you have multiple syslog-ng servers, you can configure each server to send logs to your Expel instance using the steps outlined in this article.

Poespas Blog