Skip to main content
Sumo Logic

Collect Logs for Linux

This procedure documents how to collect logs from Linux into Sumo Logic.

Log Types

The Sumo Logic app for Linux requires the following log types, which are set up during the Collector and Source configuration process:

  • /var/log/messages* - These logs contain system messages. They are required for most system events, such as user creation, deletion, system start, shutdown, etc.
  • /var/log/audit* or /var/log/secure* - The log type used will depend on the version of UNIX and configuration. These logs contain security logs. They are required for most security events and user logins.
  • /var/log/ [ yum.log | dpkg.log | zypper.log ] - Optional: These logs are required for package operation searches.

Sumo Logic recommends categorizing all of these logs uniformly with a single source category, such as: OS/Linux.

Configure a Collector

Configure a Hosted Collector or an Installed Collector.

Configure a Source

  1. Configure a Source.
  2. Configure the Source fields:
    1. Name. (Required) A name is required. Description is optional.
    2. Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. Example: prod/web/apache/access. For details see Best Practices.
  3. Configure the Advanced section:
    1. Enable Timestamp Parsing. True
    2. Time Zone. Make sure to set it to (UTC) Etc/UTC
    3. Timestamp Format. Auto Detect
  4. Click Save.

Sample Log Messages

Dec 16 20:26:23 ubuntu sshd[15533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=root

2016-12-16 19:23:13 startup packages remove

2016-12-16 19:23:13 remove tomcat7:all 7.0.68-1ubuntu0.1 <none>

Query Sample

Failed Logins

_sourceCategory=ubuntu_log ("authentication failure" or "FAILED SU") 
| parse regex "\d+\s+\d+:\d+:\d+\s(?<dest_hostname>\S+)\s" nodrop 
| parse "ruser=* rhost=* user=*" as src_user,src_hostname, dest_user nodrop 
| parse "Authentication failure for * from *" as dest_user,src_hostname nodrop 
| parse "FAILED SU (to *) * on" as dest_user,src_user nodrop 
| parse regex "FAILED LOGIN (?:SESSION|\d+) FROM (?<src_tty>\S+) FOR (?<dest_user>\S+)," nodrop 
| where dest_user!=""

Sumo Logic App

Now that you have set up collection for Linux, install the Sumo Logic App for Linux to use the preconfigured searches and dashboards that provide insight into website visitor behavior patterns, monitors server operations, and assists in troubleshooting issues that span entire web server farms.