Set up network syslog monitoring | New Relic Documentation

Set up your network devices so they send syslog data to New Relic.

Prerequisites

New Relic prerequisites

A New Relic account. Don't have one? Sign up for free! No credit card required.
A New Relic account ID.
A New Relic license key.

Linux host prerequisites

SSH access to the host
Access to install/remove applications and services
Network access as defined in the network prerequisites

callout.Host-based SNMP trap receiver

To receive syslogs, KTranslate must bind to UDP 514. In a host-based install, the following command will be included during the install process. When executed, KTranslate will be run with elevated privileges.

sudo setcap cap_net_bind_service=+ep /usr/bin/ktranslate

If deployed to Docker

Docker installed in a Linux host
Ability to launch new containers via command line

Network syslog devices prerequisites

Configured network devices to send syslog to the host running the ktranslate docker container. Here's how to configure network syslog data collection in some devices:
- Checkpoint - Security Gateway. You must sign in to the User Center/PartnerMAP checkpoint.
- Cisco - ASA
- Cisco - IOS
- Cisco - Meraki
- Cisco - NX-OS
- F5 - BIG-IP
- Fortinet Fortigate
- Juniper - Junos
- Palo Alto - PAN-OS

Network security prerequisites

Direction	Source	Destination	Ports	Protocol
Outbound	Docker host only	`ktranslate` image on Docker Hub or Quay.io	443	TCP
Outbound	Linux or Docker host	New Relic Log API endpoint: US Endpoint: `https://log-api.newrelic.com` EU Endpoint: `https://log-api.eu.newrelic.com` New Relic FedRAMP API endpoints FedRAMP Endpoint: `https://gov-log-api.newrelic.com/log/v1`	443	TCP
Inbound	Source devices for syslog data	Linux or Docker host	514 (default)	UDP
Outbound	Linux host only	packagecloud.io for downloading rpm or deb packages (not required for Docker-based install)	443 (default)	TCP

Tip

The default listening port for ktranslate is port 5143 (TCP/UDP). To use the more common syslog port of 514, our guided install redirects traffic into the Docker container with the flag-p 514:5143/udp. To bind the listener to a port above 1024, add -syslog.source="0.0.0.0:<port>" to the end of the run command instead.

Set up network syslog monitoring in New Relic

Go to one.newrelic.com > Add more data.
Scroll down until you see Network and click Syslog.
Follow the steps outlined in the New Relic UI. The available installation methods are Docker or Linux package manager.

one.newrelic.com > Add more data > Network > Syslog to set up Syslog data monitoring.

Here's a short video (2:56 minutes) showing how to set up network syslog monitoring:

If you prefer to do the setup manually, see the instructions below.

Here are manual instructions for setting up network syslog monitoring:

From a Linux host with Docker installed, download the ktranslate image by running one of the following:
- Docker Hub
  bash
```
$docker pull kentik/ktranslate:v2
```
- Quay.io
  bash
```
$docker pull quay.io/kentik/ktranslate:v2
```
Copy the snmp-base.yaml file to the local $HOME directory of your Docker user, and discard the container by running the following:
bash
```
$cd .
$id=$(docker create kentik/ktranslate:v2)
$docker cp $id:/etc/ktranslate/snmp-base.yaml .
$docker rm -v $id
```
In the snmp-base.yaml file, add your network syslog devices inside the devices key with the following structure:
```
devices:
  syslogDevice:
    device_name: edge-router
    device_ip: 10.10.1.254
    ping_only: true
    # Optional user tags
    user_tags:
      owning_team: net_eng
      environment: production
```
Tip
If you're already monitoring SNMP data devices that send network syslog, you don't need to add them in your snmp-base.yaml file a second time. The ping_only attribute used in the configuration file can optionally be replaced with flow_only to remove response time monitoring and only collect syslog messages from the host.

Run ktranslate to listen for network syslog by running:

bash

$docker run -d --name ktranslate-syslog --restart unless-stopped -p 514:5143/udp \
>  -v `pwd`/snmp-base.yaml:/snmp-base.yaml \
>  -e NEW_RELIC_API_KEY=$YOUR_NR_LICENSE_KEY \
>  kentik/ktranslate:v2 \
>    -snmp /snmp-base.yaml \
>    -nr_account_id=$YOUR_NR_ACCOUNT_ID \
>    ## If your account is located in Europe, add the following option:
$    ## -nr_region=EU \
$    ## If you want to use FedRAMP, add the following flag to use the FedRAMP authorized endpoints:
$    ## -nr_region=GOV \
$    -metrics=jchf \
>    -tee_logs=true \
>    -service_name=syslog \
>    ## Optional: To override the default listening port of "0.0.0.0:5143":
$    ## -syslog.source="<ip_address>:<port>"
$    nr1.syslog

Tip

ktranslate handles syslog in the following formats: RFC3164, RFC5424, and RFC6587.

Did this doc help with your installation?

Investigate your device syslog messages in the New Relic logs UI, using the following query:

"plugin.type":"ktranslate-syslog"

To get better visibility into your network device performance, set up SNMP data monitoring.

To get better visibility into how your network is being used, set up network flow data monitoring.