Install the Remote Collector for Linux
A remote collector collects, compresses, and encrypts log data from the configured remote machines to send directly to Alert Logic. For more information on the system requirements for a remote collector, see Requirements for the Alert Logic Remote Collector.
A remote collector can only collect syslog data.
A remote collector is useful because:
- A remote collector can be installed on a Windows machine or a Linux machine.
- A remote collector can be upgraded remotely.
- A remote collector does not require a virtual VMware instance, unlike a virtual appliance.
- Hosts without an agent can send syslog data to Alert Logic via a remote collector.
- Log status is reported directly to Alert Logic.
Data Center deployments only
For Data Center deployments, you must locate and copy your Unique Registration Key, which you need to install the remote collector.
Alert Logic uses the Unique Registration Key to specify where the remote collector is located.
To access your Unique Registration Key:
- In the Alert Logic console, open the relevant Data Center deployment.
- Under Configuration Overview, click Installation Instructions.
- Copy your Unique Registration Key.
You can install the Alert Logic universal agent and syslog remote collector on the same host. This will allow the syslog remote collector to collect forwarded logs, while the universal agent collects local logs and network traffic for Network IDS and audit purposes. This setup ensures that the syslog remote collector host is protected the same way as all your other assets in a deployment.
After you install the syslog remote collector, you must adjust any active network policies (such as SELinux, iptables, and security groups) to allow incoming connections on the port specified in the default syslog remote collector policy. Alert Logic recommends restricting these policies to allow connections only from specific hosts or private networks. For details on configuring SELinux, see Install the agent.
The remote collector listens on TCP/UDP 1515 by default, but this can be changed in the System Log Policy.
Download a remote collector
To download the agent, select the link of the desired agent installers:
Agent Installer | Processor | Link |
---|---|---|
Debian | 32-bit | Latest syslog remote collector for Linux (32-bit Debian format) |
Debian | 64-bit | Latest syslog remote collector for Linux (64-bit Debian format) |
Debian | 64-bit ARM | Latest syslog remote collector for Linux (64-bit ARM Debian format) |
RPM | 32-bit | Latest syslog remote collector for Linux (32-bit RPM format) |
RPM | 64-bit | Latest syslog remote collector for Linux (64-bit RPM format) |
RPM | 64-bit ARM | Latest syslog remote collector for Linux (64-bit ARM RPM format) |
Install the remote collector
Install for RPM-based distributions
To install a remote collector:
- Download the RPM package to the target machine.
- For Amazon Web Services (AWS) and Microsoft Azure deployments, run the following commands and replace <version> with the desired version.
- rpm -U al-log-syslog-<version>*.rpm
- /etc/init.d/al-log-syslog provision
- /etc/init.d/al-log-syslog start
- For Data Center deployments, run the following commands and replace <version> and <UNIQUEREGISTRATIONKEY> with the desired version and your Unique Registration Key, respectively.
- rpm -U al-log-syslog-<version>*.rpm
- /etc/init.d/al-log-syslog provision --key <UNIQUEREGISTRATIONKEY>
- /etc/init.d/al-log-syslog start
- Direct all syslogs to the remote collector on inbound port 1515.
- If you use an rsyslog daemon, add the following line to rsyslog.conf:
*.* @@yourIPaddress:1515;RSYSLOG_FileFormatThis configuration will direct your local syslog to the remote collector on TCP port 1515.
- If you use a syslog-ng daemon, add the following lines to syslog-ng.conf
- destination
- d_alertlogic {tcp("yourIPaddress" port(1515));};
- log { source(s_src); yourIPaddress(d_alertlogic); };
This configuration will direct your local syslog to the remote collector on TCP port 1515.
Install for Debian-based distributions
To install a remote collector:
- Download the Debian package to the target machine.
- For AWS and Azure deployments, run the following commands and replace <version> with the desired version.
- dpkg -i al-log-syslog-<version>*.deb
- /etc/init.d/al-log-syslog provision
- /etc/init.d/al-log-syslog start
- For Data Center deployments, run the following commands and replace <version> and <UNIQUEREGISTRATIONKEY> with the desired version and your Unique Registration Key, respectively.
- dpkg -i al-log-syslog-<version>*.deb
- /etc/init.d/al-log-syslog provision --key <UNIQUEREGISTRATIONKEY>
- /etc/init.d/al-log-syslog start
- If you use an rsyslog daemon, add the following line to rsyslog.conf to configure your syslog device to forward logs to port 1515: *.* @@yourIPaddress:1515;RSYSLOG_FileFormat
- If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
- destination d_alertlogic {tcp("yourIPaddress" port(1515));};
- log { source(s_src); yourIPaddress(d_alertlogic); };
This configuration will direct your local syslog to the remote collector on TCP port 1515.