Syslog is the most common method for collecting logs from network devices, security appliances, and Unix/Linux systems. UTMStack provides syslog receivers with support for multiple protocols and formats.
Syslog ports and protocols UTMStack listens for syslog on these ports:
Port Protocol Use case 514 UDP Standard syslog (RFC 3164) 514 TCP Reliable syslog delivery 6514 TCP/TLS Encrypted syslog (recommended)
UDP syslog is unreliable and can lose messages under high load. Use TCP or TLS for production environments.
Cisco devices Configure Cisco routers, switches, and ASA firewalls:
! Configure logging to UTMStack logging host utm-server.company.com transport tcp port 514 logging trap informational logging facility local6 logging source-interface GigabitEthernet0/0 ! Enable specific log categories logging console warnings logging monitor informational service timestamps log datetime msec service sequence-numbers
Cisco ASA firewall :logging enable logging timestamp logging trap informational logging host inside utm-server.company.com tcp/514 logging permit-hostdown
Fortinet FortiGate Configure FortiGate firewalls to send logs via syslog:
config log syslogd setting set status enable set server "utm-server.company.com" set port 514 set mode reliable set facility local7 set source-ip 192.168.1.1 end config log syslogd filter set severity information end
Palo Alto Networks Configure Palo Alto firewalls:
Navigate to Device → Server Profiles → Syslog
Create a new syslog server profile
Add UTMStack server
Name : UTMStackSyslog Server : utm-server.company.comTransport : TCPPort : 514Format : BSDFacility : LOG_USER
Configure log forwarding
Navigate to Objects → Log Forwarding and create profiles for:
Traffic logs
Threat logs
URL filtering logs
Data filtering logs
Apply to security policies
Edit security policies and assign log forwarding profile
pfSense Configure pfSense firewall syslog:
1. Navigate to Status → System Logs → Settings 2. Enable "Send log messages to remote syslog server" 3. Remote log servers: utm-server.company.com:514 4. Select log contents to send: - Firewall Events - DHCP Events - VPN Events - Gateway Events
Linux systems Configure rsyslog on Linux:
# Forward all logs to UTMStack via TCP * . * @@utm-server.company.com:514 # Forward only auth logs auth,authpriv.* @@utm-server.company.com:514 # Forward with TLS encryption $DefaultNetstreamDriver gtls $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer utm-server.company.com * . * @@utm-server.company.com:6514
Restart rsyslog:
sudo systemctl restart rsyslog
Windows Event Log forwarding For Windows, use the UTMStack agent for better integration. Alternatively, configure Windows Event Collector:
# Install and configure Winlogbeat for syslog forwarding $wlb = @" winlogbeat.event_logs: - name: Application - name: Security - name: System - name: Microsoft-Windows-Sysmon/Operational output.logstash: hosts: ["utm-server.company.com:5044"] "@ $wlb | Out-File - FilePath "C:\Program Files\Winlogbeat\winlogbeat.yml"
TLS encryption for syslog Secure syslog transmission with TLS:
Generate certificates # On UTMStack server, generate CA and server certificates openssl req -x509 -nodes -days 3650 -newkey rsa:4096 \ -keyout /etc/utm/certs/ca-key.pem \ -out /etc/utm/certs/ca-cert.pem \ -subj "/CN=UTMStack CA" openssl req -nodes -newkey rsa:4096 \ -keyout /etc/utm/certs/server-key.pem \ -out /etc/utm/certs/server-req.pem \ -subj "/CN=utm-server.company.com" openssl x509 -req -days 3650 \ -in /etc/utm/certs/server-req.pem \ -CA /etc/utm/certs/ca-cert.pem \ -CAkey /etc/utm/certs/ca-key.pem \ -CAcreateserial \ -out /etc/utm/certs/server-cert.pem
/etc/rsyslog.d/utm-tls.conf
# Load required modules $ModLoad imuxsock $ModLoad imtcp # Configure TLS $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/utm/ca-cert.pem $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer utm-server.company.com # Forward with TLS * . * @@utm-server.company.com:6514
Distribute the CA certificate (ca-cert.pem) to all syslog clients.
UTMStack supports these syslog formats:
RFC 3164 (BSD syslog) <34>Mar 3 12:45:23 firewall-01 %ASA-4-106023: Deny tcp src inside:10.1.1.100/54321 dst outside:203.0.113.10/443 by access-group "inside_in" [0x0, 0x0]
RFC 5424 (Structured syslog) <165>1 2024-03-03T12:45:23.123Z firewall-01 sshd 1234 ID47 [timeQuality tzKnown="1" isSynced="1"] Failed password for admin from 192.168.1.50 port 54321 ssh2
CEF:0|Fortinet|FortiGate|6.4.7|traffic|forward|5|src=192.168.1.100 dst=203.0.113.10 spt=54321 dpt=443 proto=tcp act=deny
Verify syslog reception Test syslog connectivity:
# Send test syslog message logger -n utm-server.company.com -P 514 -t test "Test message from $( hostname )" # Send via TCP logger -n utm-server.company.com -P 514 -T -t test "Test TCP message" # Monitor UTMStack syslog on server tail -f /var/log/utm/syslog-receiver.log
Verify in UTMStack UI:
Navigate to Data Sources → Status
Check for your device in active sources
View recent logs in Discover or Log Analyzer
Troubleshooting
No logs received from device
Test network connectivity :telnet utm-server.company.com 514 nc -zv utm-server.company.com 514
Check firewall rules :
Allow TCP/UDP 514 from source to UTMStack
Verify no ACLs blocking traffic
Verify device configuration :# Cisco show logging # Fortinet get log syslogd setting
Check UTMStack receiver :sudo netstat -tulpn | grep 514 sudo tcpdump -i any port 514 -A
Logs received but not parsed
Check raw logs in UTMStack: Discover → Select index pattern
Review parsing errors: Management → Parser Logs
Verify log format matches expected parser
Consider creating a custom parser
Verify certificate validity:
openssl s_client -connect utm-server.company.com:6514 -CAfile ca-cert.pem
Check certificate CN matches server hostname
Ensure CA certificate is properly distributed
Review TLS configuration in rsyslog
Best practices Syslog best practices :
Use TCP or TLS instead of UDP for production
Enable timestamps with millisecond precision
Configure source IP/interface to identify devices
Set appropriate severity levels (information or higher)
Test with logger command before configuring devices
Document device IP addresses and log types
Monitor syslog receiver disk space
Next steps Custom parsers Create custom parsers for proprietary formats
Log analysis Analyze collected logs in dashboards
Alert rules Create alerts based on syslog events
NetFlow Configure NetFlow data collection