You can use our guided install process to install the syslog monitoring agent, or install the agent manually. This doc covers prerequisites to start this install process and a step-by-step walk through of your install options.
Prerequisites
Before you can start, you'll need to sign up for a New Relic account. If you choose to install the agent manually, you also need:
If you're using Linux to install the agent as a service, you need:
SSH access to the host
Access to install/remove applications and services
One of these supported operating systems:
CentOS 7
CentOS 8
Debian 12 (Bookworm)
Debian 11 (Bullseye)
Debian 10 (Buster)
RedHat Enterprise Linux 9
Ubuntu 20.04 (Focal LTS)
Ubuntu 22.04 (Jammy LTS)
Ubuntu 23.04 (Lunar)
Important
To receive syslog messages, the agent must bind to UDP 514. In a host-based install, the following command will be included during the install process. When executed, KTranslate will be run with elevated privileges.
ktranslate handles syslog in the following formats automatically: RFC3164, RFC5424, and RFC6587. Any messages received outside of these formats will be discarded unless you configure the -syslog.format=NoFormat flag at runtime.
Source devices must be configured to send syslog messages to the host running the network monitoring agent. Here's how to configure network syslog export in some devices (this is not an all-inclusive list):
For most use cases, we recommended our guided install to set up network flow data monitoring. If your set up is more advanced with custom configurations, then we'd recommend installing manually.
Copy the snmp-base.yaml file to the local $HOME directory of your Docker user, and discard the container by running
bash
$
cd.
$
id=$(docker create kentik/ktranslate:v2)
$
dockercp$id:/etc/ktranslate/snmp-base.yaml .
$
dockerrm-v$id
Edit the snmp-base.yaml file, and add your network syslog devices inside the devices dictionary key with the following structure:
devices:
# This key and the corresponding 'device_name'
# need to be unique for each device
edge_router:
device_name: edge_router
device_ip: 10.10.1.254
ping_only:true
# Optional user tags
user_tags:
owning_team: net_eng
environment: production
Important
If you're already monitoring SNMP data devices that will also send network syslog, you'll want to ensure that the value for device_name is identical for both configuration files to ensure the syslog messages are attributed to the right entity in the New Relic UI.
Run ktranslate to listen for network syslog messages by running:
bash
$
docker run -d--name ktranslate-$CONTAINER_SERVICE--restart unless-stopped --pull=always -p514:5143/udp \
>
-v`pwd`/snmp-base.yaml:/snmp-base.yaml \
>
-eNEW_RELIC_API_KEY=$YOUR_NR_LICENSE_KEY\
>
kentik/ktranslate:v2 \
>
-snmp /snmp-base.yaml \
>
-nr_account_id=$YOUR_NR_ACCOUNT_ID\
>
-metrics=jchf \
>
-tee_logs=true \
>
-dns=local \
>
-service_name=$CONTAINER_SERVICE\
>
nr1.syslog
Investigate your device syslog messages in the New Relic UI, using the following query:
"plugin.type":"ktranslate-syslog"
Did this doc help with your installation?
What's next?
You can set up some additional agents to complement your network syslog data: