Configuring a Syslog server to send events
The rsyslog service is used to transmit events from the server to KUMA.
To configure the sending of events from the server where PostgreSQL is installed to the collector:
- To verify that the rsyslog service is installed on the event source server, run the following command as administrator:
sudo systemctl status rsyslog.service
If the rsyslog service is not installed on the server, install it by executing the following commands:
yum install rsyslog
sudo systemctl enable rsyslog.service
sudo systemctl start rsyslog.service
- In the /etc/rsyslog.d/ directory, create a pgsql-to-siem.conf file with the following content:
If $programname contains 'Postgres' then @<
IP address of the collector
>:<
port of the collector
>
For example:
If $programname contains 'Postgres' then @192.168.1.5:1514
If you want to send events via TCP, the contents of the file must be as follows:
If $programname contains 'Postgres' then @@<
IP address of the collector
>:<
port of the collector
>
Save changes to the pgsql-to-siem.conf configuration file.
- Add the following lines to the /etc/rsyslog.conf configuration file:
$IncludeConfig /etc/pgsql-to-siem.conf
$RepeatedMsgReduction off
Save changes to the /etc/rsyslog.conf configuration file.
- Restart the rsyslog service by executing the following command:
sudo systemctl restart rsyslog.service