Set up network syslog monitoring | New Relic Documentation

Set up your network devices so they send syslog data to New Relic.

Add network syslog data

Prerequisites

New Relic prerequisites

A New Relic account. Don't have one? Sign up for free! No credit card required.
A New Relic account ID.
A New Relic license key.

Linux host prerequisites

If you're using linux:

SSH access to the host
Access to install/remove applications and services
Network access as defined in the network prerequisites

callout.Host-based SNMP trap receiver

To receive syslogs, KTranslate must bind to UDP 514. In a host-based install, the following command will be included during the install process. When executed, KTranslate will be run with elevated privileges.

sudo setcap cap_net_bind_service=+ep /usr/bin/ktranslate

Docker prerequisites

If you're using docker:

Docker installed in a Linux host
Ability to launch new containers via command line

Network syslog devices prerequisites

Configured network devices to send syslog to the host running the ktranslate docker container. Here's how to configure network syslog data collection in some devices:
- Checkpoint - Security Gateway. You must sign in to the User Center/PartnerMAP checkpoint.
- Cisco - ASA
- Cisco - IOS
- Cisco - Meraki
- Cisco - NX-OS
- F5 - BIG-IP
- Fortinet Fortigate
- Juniper - Junos
- Palo Alto - PAN-OS

Network security prerequisites

Check the network security prerequisites for network syslog.

Set up network syslog monitoring in New Relic

Go to one.newrelic.com > Add more data.
Scroll down until you see Network and click Syslog.
Follow the steps outlined in the guided installation process. You can use docker or linux.

one.newrelic.com > Add more data > Network > Syslog to set up Syslog data monitoring.

Here's a short video (2:56 minutes) showing how to set up network syslog monitoring:

If you prefer to do the setup manually, see the instructions below.

Here are manual instructions for setting up network syslog monitoring:

From a Linux host with Docker installed, download the ktranslate image by running one of the following:
- Docker Hub
  bash
```
$docker pull kentik/ktranslate:v2
```
- Quay.io
  bash
```
$docker pull quay.io/kentik/ktranslate:v2
```
Copy the snmp-base.yaml file to the local $HOME directory of your Docker user, and discard the container by running the following:
bash
```
$cd .
$id=$(docker create kentik/ktranslate:v2)
$docker cp $id:/etc/ktranslate/snmp-base.yaml .
$docker rm -v $id
```
In the snmp-base.yaml file, add your network syslog devices inside the devices key with the following structure:
```
devices:
  syslogDevice:
    device_name: edge-router
    device_ip: 10.10.1.254
    ping_only: true
    # Optional user tags
    user_tags:
      owning_team: net_eng
      environment: production
```
Tip
If you're already monitoring SNMP data devices that send network syslog, you don't need to add them in your snmp-base.yaml file a second time. The ping_only attribute used in the configuration file can optionally be replaced with flow_only to remove response time monitoring and only collect syslog messages from the host.

Run ktranslate to listen for network syslog by running:

bash

$docker run -d --name ktranslate-syslog --restart unless-stopped -p 514:5143/udp \
>  -v `pwd`/snmp-base.yaml:/snmp-base.yaml \
>  -e NEW_RELIC_API_KEY=$YOUR_NR_LICENSE_KEY \
>  kentik/ktranslate:v2 \
>    -snmp /snmp-base.yaml \
>    -nr_account_id=$YOUR_NR_ACCOUNT_ID \
>    ## If your account is located in Europe, add the following option:
$    ## -nr_region=EU \
$    ## If you want to use FedRAMP, add the following flag to use the FedRAMP authorized endpoints:
$    ## -nr_region=GOV \
$    -metrics=jchf \
>    -tee_logs=true \
>    -service_name=syslog \
>    ## Optional: To override the default listening port of "0.0.0.0:5143":
$    ## -syslog.source="<ip_address>:<port>"
$    nr1.syslog

Tip

ktranslate handles syslog in the following formats: RFC3164, RFC5424, and RFC6587.

Did this doc help with your installation?

Investigate your device syslog messages in the New Relic logs UI, using the following query:

"plugin.type":"ktranslate-syslog"

To get better visibility into your network device performance, set up SNMP data monitoring.

To get better visibility into how your network is being used, set up network flow data monitoring.