Configuring syslog for audit logs

If you want the SOAR Platform to send audit log messages to Syslog, you must configure the Syslog service. You can set up Syslog to work for logging on the server on which the SOAR Platform is installed (local server) or you can configure Syslog for a remote server.

About this task

To configure the Syslog service for audit logging on the local server, complete a procedure similar to the following example.

For more information, see the Red Hat® documentation for details about how to set up Syslog for logging to a remote server.

Procedure

  1. Open the rsyslog.conf file, which is located in the /etc directory, as follows.
    sudo vi /etc/rsyslog.conf
  2. Uncomment the following lines in the rsyslog.conf file.
    #$ModLoad imudp
    #$UDPServerRun 514
    #$ModLoad imtcp
    #$InputTCPServerRun 514
    
  3. Run the following command.
    systemctl restart rsyslog.service
  4. Verify that rsyslog is listening on port number 514 by running the following command.
    sudo netstat -antup | grep 514