Set up network syslog monitoring | New Relic Documentation

Set up your network devices so they send syslog data to New Relic.

Add network syslog data

Prerequisites

New Relic prerequisites

A New Relic account. Don't have one? Sign up for free! No credit card required.
A New Relic account ID.
A New Relic license key.

Linux host prerequisites

Docker installed in a Linux host.
SSH access to the Docker host, with the ability to launch new containers.

Network syslog devices prerequisites

Configured network devices to send syslog to the host running the ktranslate docker container. Here's how to configure network syslog data collection in some devices:
- Checkpoint - Security Gateway. You must sign in to the User Center/PartnerMAP checkpoint.
- Cisco - ASA
- Cisco - IOS
- Cisco - Meraki
- Cisco - NX-OS
- F5 - BIG-IP
- Fortinet Fortigate
- Juniper - Junos
- Palo Alto - PAN-OS

Network security prerequisites

Direction	Source	Destination	Ports	Protocol
Outbound	Docker host	`ktranslate` image on Docker Hub or Quay.io	443	TCP
Outbound	Docker host	New Relic Log API endpoint: US Endpoint: `https://log-api.newrelic.com` EU Endpoint: `https://log-api.eu.newrelic.com`	443	TCP
Inbound	Source devices for syslog data	Docker host	5143 (default)	UDP

Direction

Source

Destination

Ports

Protocol

Outbound

Docker host

ktranslate image on Docker Hub or Quay.io

443

TCP

Outbound

Docker host

New Relic Log API endpoint:

US Endpoint:
```
https://log-api.newrelic.com
```
EU Endpoint:
```
https://log-api.eu.newrelic.com
```

443

TCP

Inbound

Source devices for syslog data

Docker host

5143 (default)

UDP

Tip

The default listening port for ktranslate is 5143 (TCP/UDP). If you need to use the default syslog port of 514 (or any other port), you can do so by providing a new listening endpoint during Docker runtime. For example: -syslog="0.0.0.0:514".

Set up network syslog monitoring in New Relic

Go to one.newrelic.com and click Add more data.
Scroll down until you see Network monitoring and click Syslog.
Follow the steps in New Relic.

Here's a short video (2:56 minutes) showing how to set up network syslog monitoring:

If you prefer to do the setup manually, see the instructions below.

Here are manual instructions for setting up network syslog monitoring:

From a Linux host with Docker installed, download the ktranslate image by running one of the following:
- Docker Hub
  bash
```
$docker pull kentik/ktranslate:v2
```
- Quay.io
  bash
```
$docker pull quay.io/kentik/ktranslate:v2
```
Copy the snmp-base.yaml file to the local $HOME directory of your Docker user, and discard the container by running the following:
bash
```
$cd .
$id=$(docker create kentik/ktranslate:v2)
$docker cp $id:/etc/ktranslate/snmp-base.yaml .
$docker rm -v $id
```
In the snmp-base.yaml file, add your network syslog devices inside the devices key with the following structure:
```
devices:
  syslogDevice:
    device_name: edge-router
    device_ip: 10.10.1.254
    ping_only: true
    # Optional user tags
    user_tags:
      owning_team: net_eng
      environment: production
```
Tip
If you're already monitoring SNMP data devices that send network syslog, you don't need to add them in your snmp-base.yaml file a second time. The ping_only attribute used in the configuration file can optionally be replaced with flow_only to remove response time monitoring and only collect syslog messages from the host.

Run ktranslate to listen for network syslog by running:

bash

$docker run -d --name ktranslate-syslog --restart unless-stopped --net=host \
>  -v `pwd`/snmp-base.yaml:/snmp-base.yaml \
>  -e NEW_RELIC_API_KEY=$YOUR_NR_LICENSE_KEY \
>  kentik/ktranslate:v2 \
>    -snmp /snmp-base.yaml \
>    -nr_account_id=$YOUR_NR_ACCOUNT_ID \
>    ## If your account is located in Europe, add the following option:
$    ## -nr_region=EU \
$    ## If you want to use FedRAMP, add the following flag to use the FedRAMP authorized endpoints:
$    ## -nr_region=GOV \
$    -metrics=jchf \
>    -tee_logs=true \
>    -service_name=syslog \
>    ## Optional: To override the default listening port of "0.0.0.0:5143":
$    ## -syslog.source="<ip_address>:<port>"
$    nr1.syslog

Tip

ktranslate handles syslog in the following formats: RFC3164, RFC5424, and RFC6587.

Investigate your device syslog messages in the New Relic logs UI, using the following query:

"plugin.type":"ktranslate-syslog"

To get better visibility into your network device performance, set up SNMP data monitoring.

To get better visibility into how your network is being used, set up network flow data monitoring.