Set up network syslog monitoring | New Relic Documentation

Set up your network devices so they send syslog data to New Relic One.

Prerequisites

New Relic One account prerequisites

A New Relic account. Don't have one? Sign up for free! No credit card required.
A New Relic account ID.
A New Relic license key.

Linux host prerequisites

Docker installed in a Linux host.
SSH access to the Docker host, with the ability to launch new containers.

Network syslog devices prerequisites

Configured network devices to send syslog to the host running the ktranslate docker container. Here's how to configure network syslog data collection in some devices:
- Checkpoint - Security Gateway. You must sign in to the User Center/PartnerMAP checkpoint.
- Cisco - ASA
- Cisco - IOS
- Cisco - Meraki
- Cisco - NX-OS
- F5 - BIG-IP
- Fortinet Fortigate
- Juniper - Junos
- Palo Alto - PAN-OS

Network security prerequisites

Direction	Source	Destination	Ports	Protocol
Outbound	Docker host	ktranslate image on Docker Hub	443	TCP
Outbound	Docker host	New Relic Log API endpoint: US Endpoint: `https://log-api.newrelic.com` EU Endpoint: `https://log-api.eu.newrelic.com`	443	TCP
Inbound	Source devices for syslog data	Docker host	5143 (default)	UDP

Direction

Source

Destination

Ports

Protocol

Outbound

Docker host

ktranslate image on Docker Hub

443

TCP

Outbound

Docker host

New Relic Log API endpoint:

US Endpoint:
```
https://log-api.newrelic.com
```
EU Endpoint:
```
https://log-api.eu.newrelic.com
```

443

TCP

Inbound

Source devices for syslog data

Docker host

5143 (default)

UDP

ヒント

The default listening port for ktranslate is 5143 (TCP/UDP). If you need to use the default syslog port of 514 (or any other port), you can do so by providing a new listening endpoint during Docker runtime. For example: -syslog="0.0.0.0:514".

Set up network syslog monitoring in New Relic One

Go to one.newrelic.com and click Add more data.
Scroll down until you see Network performance monitoring and click Syslog.
Follow the steps in New Relic One.
one.newrelic.com > Add more data > Network performance monitoring > SNMP to set up SNMP data monitoring.

If you prefer to do the setup manually, see the instructions below.

Here are manual instructions for setting up network syslog monitoring:

From a Linux host with Docker installed, download the ktranslate image from dockerhub by running
bash
```
$docker pull kentik/ktranslate:v2
```
Copy the snmp-base.yaml file to the local $HOME directory of your Docker user, and discard the container by running
bash
```
$cd .
$id=$(docker create kentik/ktranslate:v2)
$docker cp $id:/etc/ktranslate/snmp-base.yaml .
$docker rm -v $id
```

In the snmp-base.yaml file, add your network syslog devices inside the devices key with the following structure:

devices:
  syslogDevice:
    device_name: edge-router
    device_ip: 10.10.1.254
    ping_only: true
    # Optional user tags
    user_tags:
      owning_team: net_eng
      environment: production

ヒント

If you're already monitoring SNMP data devices that send network syslog, you don't need to add them in your snmp-base.yaml file a second time. The ping_only attribute used in the configuration file can optionally be replaced with flow_only to remove response time monitoring and only collect syslog messages from the host.

Run ktranslate to listen for network syslog by running:

bash

$docker run -d --name ktranslate-syslog --restart unless-stopped --net=host \
>  -v `pwd`/snmp-base.yaml:/snmp-base.yaml \
>  -e NEW_RELIC_API_KEY=$YOUR_NR_LICENSE_KEY \
>  kentik/ktranslate:v2 \
>    -snmp /snmp-base.yaml \
>    -nr_account_id=$YOUR_NR_ACCOUNT_ID \
>    ## If your account is located in Europe, add the following option:
$    ## -nr_region=EU \
$    ## If you want to use FedRAMP, add the following flag to use the FedRAMP authorized endpoints:
$    ## -nr_region=GOV \
$    -metrics=jchf \
>    -tee_logs=true \
>    -service_name=syslog \
>    ## Optional: To override the default listening port of "0.0.0.0:5143":
$    ## -syslog="<ip_address>:<port>"
$    nr1.syslog

ヒント

ktranslate handles syslog in the following formats: RFC3164, RFC5424, and RFC6587.

Investigate your device syslog messages in the New Relic One logs UI, using the following query:

"plugin.type":"ktranslate-syslog"

To get better visibility into your network device performance, set up SNMP data monitoring.

To get better visibility into how your network is being used, set up network flow data monitoring.