Install the Remote Collector for Linux

About remote collectors

A remote collector collects, compresses, and encrypts log data from the configured remote machines to send directly to Alert Logic.

A remote collector can only collect syslog data.

A remote collector is useful because:

  • A remote collector can be installed on a Windows machine or a Linux machine.
  • A remote collector can be upgraded remotely.
  • A remote collector does not require a virtual VMware instance, unlike a virtual appliance.
  • Hosts without an agent can send syslog data to Alert Logic via a remote collector.
  • Log status is reported directly to Alert Logic.

Data Center deployments only

For Data Center deployments, you must locate and copy your Unique Registration Key, which you need to install the remote collector.

Alert Logic uses the Unique Registration Key to assign the agent to your Alert Logic account.

To access your Unique Registration Key:

  1. In the Alert Logic console, click the CONFIGURATION tab, and then open the relevant data center deployment.
  2. Under Configuration Overview, click Installation Instructions.
  3. Copy your Unique Registration Key.

You can install the Alert Logic universal agent and syslog remote collector on the same host. This will allow the syslog remote collector to collect forwarded logs, while the universal agent collects local logs and network traffic for Network IDS and audit purposes. This setup ensures that the syslog remote collector host is protected the same way as all your other assets in a deployment.

When a universal agent and a syslog remote collector are installed on the same host, you must change the default syslog listen port (set to 1514) of the default syslog remote collector policy (or a custom syslog policy attached to the remote collector) to avoid port conflicts between the collectors. For more information about syslog policies, see Log Management Syslog Policies.

After you install the syslog remote collector, you must adjust any active network policies (such as SELinux, iptables, and security groups) to allow incoming connections on the port specified in the default syslog remote collector policy. Alert Logic recommends restricting these policies to allow connections only from specific hosts or private networks. For details on configuring SELinux, see Install the agent .

Download a remote collector

To download the agent, select the link of the desired agent installers:

Agent Installer Processor Link
Debian 32-bit Latest syslog remote collector for Linux (32-bit Debian format)
Debian 64-bit Latest syslog remote collector for Linux (64-bit Debian format)
RPM 32-bit Latest syslog remote collector for Linux (32-bit RPM format)
RPM 64-bit Latest syslog remote collector for Linux (64-bit RPM format)

Install the remote collector

Install for RPM-based distributions

To install a remote collector:

  1. Download the RPM package to the target machine.
  2. Run the following commands and replace <version> and <UNIQUEREGISTRATIONKEY> with the desired version and your Unique Registration Key, respectively.
    • rpm -U al-log-syslog-<version>*.rpm
    • /etc/init.d/al-log-syslog provision --key <UNIQUEREGISTRATIONKEY>
    • /etc/init.d/al-log-syslog start
  3. Direct all syslogs to the remote collector on inbound port 1514.
  4. If you use an rsyslog daemon, add the following line to rsyslog.conf:
    *.* @@yourIPaddress:1514;RSYSLOG_FileFormat

This configuration will direct your local syslog to the remote collector on TCP port 1514.

  1. If you use a syslog-ng daemon, add the following lines to syslog-ng.conf
    • destination
    • d_alertlogic {tcp("yourIPaddress" port(1514));};
    • log { source(s_src); yourIPaddress(d_alertlogic); };

This configuration will direct your local syslog to the remote collector on TCP port 1514.

Install for Debian-based distributions

To install a remote collector:

  1. Download the Debian package to the target machine.
  2. Run the following commands and replace <version> and <UNIQUEREGISTRATIONKEY> with the desired version and your Unique Registration Key, respectively.
    • dpkg -i al-log-syslog-<version>*.deb
    • /etc/init.d/al-log-syslog provision --key <UNIQUEREGISTRATIONKEY>
    • /etc/init.d/al-log-syslog start
  3. If you use an rsyslog daemon, add the following line to rsyslog.conf to configure your syslog device to forward logs to port 1514: *.* @@yourIPaddress:1514;RSYSLOG_FileFormat
  4. If you use a syslog-ng daemon, add the following lines to syslog-ng.conf:
    • destination d_alertlogic {tcp("yourIPaddress" port(1514));};
    • log { source(s_src); yourIPaddress(d_alertlogic); };

This configuration will direct your local syslog to the remote collector on TCP port 1514.