Skip to main content
Sumo Logic

Collect Logs for Linux

This procedure describes how to collect logs from Linux into Sumo Logic.

Sumo apps gather data from the log messages collected from sources by collectors. The Sumo app for Linux requires specific Linux log types, which are set up during the collector and source configuration process. The sections below list the required logs for:

  • Ubuntu
  • CentOS, Amazon Linux, and most Red Hat forks

Required logs for Ubuntu

The following logs, located in your Linux machine's /var/log folder, are required for using the Sumo app for Linux with Ubuntu:

  • auth.log
  • syslog
  • daemon.log
  • dpkg.log
  • kern.log

Required logs for CentOS, Amazon Linux, and Red Hat 

The following logs, located in your Linux machine's /var/log folder, are required for using the Sumo app for Linux with  CentOS, Amazon Linux, and most Red Hat forks:

  • audit/audit.log
  • secure
  • messages
  • yum.log

Configure a collector

Configure an Installed Collector.

Configure a source

To configure a source for collecting Linux logs, you create a Local File Source. Following the instructions on Local File Source. When you define a Source Category for the source, we recommend something like: prod/os/linux. For more information about Source Categories, see see Best Practices.

Sample log messages

Dec 16 20:26:23 ubuntu sshd[15533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=116.31.116.50  user=root

2016-12-16 19:23:13 startup packages remove

2016-12-16 19:23:13 remove tomcat7:all 7.0.68-1ubuntu0.1 <none>

Query sample

Failed Logins

_sourceCategory=ubuntu_log ("authentication failure" or "FAILED SU") 
| parse regex "\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S+)\s" nodrop 
| parse "ruser=* rhost=* user=*" as src_user,src_hostname, dest_user nodrop 
| parse "Authentication failure for * from *" as dest_user,src_hostname nodrop 
| parse "FAILED SU (to *) * on" as dest_user,src_user nodrop 
| parse regex "FAILED LOGIN (?:SESSION|\d+) FROM (?<src_tty>\S+) FOR (?<dest_user>\S+)," nodrop 
| where dest_user!=""