.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
Issue
This article details how to export NetWitness host OS syslog to an external syslog server to centralize logging destination.
Resolution
This article assumes remote syslog has been configured. Consult your system specific documents for information on how to configure remote syslog.
- Open Admin Server UI / Admin/ Services /
/ System page and click Host Tasks
- Set up the Host Tasks and click Run. It works immediately regardless of status of remote syslog server.
- Task : Set Syslog Forwarding
- Argument : host=
- You can verify the remote syslog destination was applied by checking the following file: /etc/rsyslog.nw.conf
[root@NW11-NETWORK-HYBRID ~]# cat /etc/rsyslog.nw.conf
:programname, contains, "Nw" @192.168.5.186
# This file is generated automatically. Do not edit it! - Logging from /var/log/messages showing the result of the command:
Mar 14 13:03:22 NW11-NETWORK-HYBRID NwAppliance[1398]: [Appliance] [audit] User admin (session 99679, 192.168.5.168:59008) has issued a syslog redirect: host=192.168.5.186
Mar 14 13:03:24 NW11-NETWORK-HYBRID NwAppliance[1398]: [Appliance] [failure] Process service rsyslog --full-restart ended with exit code 1
- Note in the above example, we have a failure to restart the syslog service after applying the remote destination. If this occurs, you can simply restart the service manually from the CLI:
[root@NW11-NETWORK-HYBRID ~]# systemctl restart rsyslog - Logs sent to the remote host will resemble this (sent to a NW Log Decoder):
ADDITIONAL NOTES:
Logging set up in such a fashion will continue to redirect after service restart or appliance rebooting. No further configuration settings are required.
Product Details
NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: Core Appliance
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS , AlmaLinux
Approval Reviewer Queue
Technical approval queue