Configuring the event source server

The rsyslog service is used to transmit events from the server to the KUMA collector.

To configure transmission of events from the server to the collector:

1. Make sure that the rsyslog service is installed on the event source server. For this purpose, execute the following command:

   systemctl status rsyslog.service

   If the rsyslog service is not installed on the server, install it by executing the following command:

   yum install rsyslog

   systemctl enable rsyslog.service

   systemctl start rsyslog.service

2. In the /etc/rsyslog.d folder, create the audit.conf file with the following content:

   $ModLoad imfile

   $InputFileName /var/log/audit/audit.log

   $InputFileTag tag_audit_log:

   $InputFileStateFile audit_log

   $InputFileSeverity info

   $InputFileFacility local6

   $InputRunFileMonitor

   *.* @<KUMA collector IP address>:<KUMA collector port>

   If you want to send events over TCP, instead of the last line in the file insert the following line:
   *.* @@<KUMA collector IP address>:<KUMA collector port>.

3. Save the changes to the audit.conf file.
4. Restart the rsyslog service by executing the following command:

   systemctl restart rsyslog.service

The event source server is configured. Data about events is transmitted from the server to the KUMA collector.

Page top