Linux System Logs

This package contains a parsers for Linux System Logs from /var/log/ to LogScale.

Prerequisites

The timezone assumes UTC time, therefore the system time should be changed to UTC time for proper log timestamping.

Installing the Package in LogScale

Find the repository where you want to send the package, or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for Linux System Logs (i.e. linux/system-logs).

  3. When the package has finished installing, click Ingest tokens on the left still under the Settings.

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g. the name of the server the token is ingesting logs for), and leave the parser unassigned.

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

  5. Add the following snippet to your LogScale Collector configuration, see Configure Falcon Log Collector for more information on how to replace the placeholder names : <repository_name>, <repository_ingest_token>, <LogScale URL ex. https://cloud.community.humio.com/> in the following example.

    yaml
    sources:
      auth_log:
        type: file
        include: /var/log/auth*
        exclude: /var/log/*.gz
        transforms:
          - type: static_fields
            fields:
              log_source: auth
        sink: <repository_name>

      syslog_log:
        type: file
        include: /var/log/syslog
        transforms:
          - type: static_fields
            fields:
              log_source: system
        sink: <repository_name>

      audit_log:
        type: file
        include: /var/log/audit/*
        exclude: /var/log/audit/*.gz
        transforms:
          - type: static_fields
            fields:
              log_source: audit
        sink: <repository_name>

      secure_log:
        type: file
        include: /var/log/secure
        transforms:
          - type: static_fields
            fields:
              log_source: auth
        sink: <repository_name>

      messages_log:
        type: file
        include: /var/log/messages
        transforms:
          - type: static_fields
            fields:
              log_source: system
        sink: <repository_name>

    sinks:
      <repository_name>:
        type: humio
        token: <repository_ingest_token>
        url: <LogScale URL ex. https://cloud.community.humio.com/>

  6. Now that you have a repository set up in LogScale along with an ingest token you're ready to send events to LogScale.

Verify Data is Arriving in LogScale

Once you have completed the above steps the data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #type = "linux-systemlogs" to see the events.