Configuring a Syslog server to send events

The rsyslog service is used to transmit events from the server to KUMA.

To configure the sending of events from the server where PostgreSQL is installed to the collector:

1. To verify that the rsyslog service is installed on the event source server, run the following command as administrator:

   sudo systemctl status rsyslog.service

   If the rsyslog service is not installed on the server, install it by executing the following commands:

   yum install rsyslog

   sudo systemctl enable rsyslog.service

   sudo systemctl start rsyslog.service

2. In the /etc/rsyslog.d/ directory, create a pgsql-to-siem.conf file with the following content:

   If $programname contains 'Postgres' then @<IP address of the collector>:<port of the collector>

   For example:

   If $programname contains 'Postgres' then @192.168.1.5:1514

   If you want to send events via TCP, the contents of the file must be as follows:
   If $programname contains 'Postgres' then @@<IP address of the collector>:<port of the collector>

   Save changes to the pgsql-to-siem.conf configuration file.

3. Add the following lines to the /etc/rsyslog.conf configuration file:

   $IncludeConfig /etc/pgsql-to-siem.conf

   $RepeatedMsgReduction off

   Save changes to the /etc/rsyslog.conf configuration file.

4. Restart the rsyslog service by executing the following command:

   sudo systemctl restart rsyslog.service

Page top