English 日本語 한국어

Log in Start now

Go to network monitoring UI

Set up network syslog monitoring

You can use our guided install process to install the syslog monitoring agent, or install the agent manually. This doc covers prerequisites to start this install process and a step-by-step walk through of your install options.

Prerequisites

Before you can start, you'll need to sign up for a New Relic account. If you choose to install the agent manually, you also need:

A New Relic account ID.
A New Relic .

If you're using Linux to install the agent as a service, you need:

SSH access to the host
Access to install/remove applications and services
One of these supported operating systems:
- CentOS 7
- CentOS 8
- Debian 12 (Bookworm)
- Debian 11 (Bullseye)
- Debian 10 (Buster)
- RedHat Enterprise Linux 9
- Ubuntu 20.04 (Focal LTS)
- Ubuntu 22.04 (Jammy LTS)
- Ubuntu 23.04 (Lunar)

Important

To receive syslog messages, the agent must bind to UDP 514. In a host-based install, the following command will be included during the install process. When executed, KTranslate will be run with elevated privileges.

sudo setcap cap_net_bind_service=+ep /usr/bin/ktranslate

Important

ktranslate handles syslog in the following formats: RFC3164, RFC5424, and RFC6587. Any messages received outside of these formats will be discarded. (Notably, this includes syslogs from Meraki, which don't align with any RFC standards.)

Source devices must be configured to send syslog messages to the host running the network monitoring agent. Here's how to configure network syslog export in some devices (this is not an all-inclusive list):
- Checkpoint - Security Gateway. You must sign in to the User Center/PartnerMAP checkpoint.
- Cisco - ASA
- Cisco - IOS
- Cisco - NX-OS
- F5 - BIG-IP
- Fortinet Fortigate
- Juniper - Junos
- Palo Alto - PAN-OS

Set up network syslog monitoring in New Relic

For most use cases, we recommended our guided install to set up network flow data monitoring. If your set up is more advanced with custom configurations, then we'd recommend installing manually.

Go to one.newrelic.com > All capabilities > Add more data.
Scroll down until you see Network and click Syslog.
Follow the steps outlined in the guided installation process. You can use Docker or Linux.

Add network syslog data

one.newrelic.com > All capabilities > Add more data > Network > Syslog to set up syslog message monitoring.

Investigate your device syslog messages in the New Relic UI, using the following query:
```
"plugin.type":"ktranslate-syslog"
```
Here's a short video (2:56 minutes) showing how to set up network syslog monitoring:

If you follow this manual installation process, support may be unable to assist you if issues arise. If you still wish to proceed, do the following:

On a Linux host with Docker installed, download the ktranslate image by running one of the following:

Docker Hub
bash
```
$docker pull kentik/ktranslate:v2
```

bash

$docker pull quay.io/kentik/ktranslate:v2

Copy the snmp-base.yaml file to the local $HOME directory of your Docker user, and discard the container by running
bash
```
$cd .
$id=$(docker create kentik/ktranslate:v2)
$docker cp $id:/etc/ktranslate/snmp-base.yaml .
$docker rm -v $id
```
Edit the snmp-base.yaml file, and add your network syslog devices inside the devices dictionary key with the following structure:
```
devices:
  # This key and the corresponding 'device_name'
  # need to be unique for each device
  edge_router:
    device_name: edge_router
    device_ip: 10.10.1.254
    ping_only: true
    # Optional user tags
    user_tags:
      owning_team: net_eng
      environment: production
```
Important
If you're already monitoring SNMP data devices that will also send network syslog, you'll want to ensure that the value for device_name is identical for both configuration files to ensure the syslog messages are attributed to the right entity in the New Relic UI.

Run ktranslate to listen for network syslog messages by running:

bash

$docker run -d --name ktranslate-syslog --restart unless-stopped --pull=always -p 162:1620/udp \
>-v `pwd`/snmp-base.yaml:/snmp-base.yaml \
># Replace with your license key
>-e NEW_RELIC_API_KEY=$YOUR_NR_LICENSE_KEY \
>kentik/ktranslate:v2 \
>  -snmp /snmp-base.yaml \
>  # Replace with your account ID
>  -nr_account_id=$YOUR_NR_ACCOUNT_ID \
>  # If your organization is located in Europe, add the following flag:
$  # -nr_region=EU \
$  # If you want to use FedRAMP, add the following flag to use the FedRAMP authorized endpoints:
$  # -nr_region=GOV \
$  -metrics=jchf \
>  -tee_logs=true \
>  # Use this field to create a unique value for `tags.container_service` inside of New Relic
>  -service_name=$UNIQUE_NAME \
>  # Optional: To override the default listening port of "0.0.0.0:5143":
$  # -syslog.source="<ip_address>:<port>" \
$  # Optional: To set a custom DNS server for IP resolution
$  # -dns="$DNS_SERVER" \
$  nr1.syslog

Investigate your device syslog messages in the New Relic UI, using the following query:
```
"plugin.type":"ktranslate-syslog"
```

Did this doc help with your installation?

What's next?

You can set up some additional agents to complement your network syslog data:

To get better visibility into your network device performance, set up SNMP data monitoring.
To get better visibility into how your network is being used, set up network flow data monitoring.