# Collect data using Syslog {% hint style="info" %} See the changelog of this Listener type [here](https://app.gitbook.com/s/1OZWDcmMPrhfCtF1rMJP/syslog-listener). {% endhint %} ## Overview Onum receives data from **Syslog**, supporting TCP and UDP protocols. Select **Syslog** from the list of Listener types and click **Configuration** to start. ## Prerequisites If you are using On-Prem, you'll need to know your Onum distributor URL. [Contact us](https://app.gitbook.com/o/9sm794iTBacZSmhxRER6/s/cSjT21I4EUhzghjc1rER/) and we'll send it to you. ## Important Considerations Regarding Cloud Deployments * In cloud-based Onum installations, the **TLS** configuration section of the Listener is not visible and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions [in this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). * If you are defining this Listener in a cloud instance, Onum will automatically provide the **Port** and **TLS** configuration. * Cloud Listeners have an additional step in their creation process: **Network configuration**. Use these details to configure your data source to communicate with Onum. Click **Download certificate** to get the required certificate for the connection. You can also download it from the Listener details once it is created. * When configuring a Listener in a Cloud tenant, the **port** will be `443`. In on-prem, the selected port must fall within the range of `1024` to `10000`. * Cloud Listener endpoints are created in Onum's DNS. This process is usually fast, and Listeners are normally available immediately. However, note that this may last up to 24-48 hours, depending on your organization's DNS configuration. * Your data input must use the **Server Name Indication (SNI)** method, which means it must send its hostname in the TLS authentication process. If SNI is not used, the certificate routing will fail, and data will not be received, even if the certificate is valid. If your organization's software cannot meet points 2 and 3, you can use an intermediate piece of software to ensure the client-Onum connection, such as Stunnel. ## Onum Setup {% stepper %} {% step %} Log in to your Onum tenant and click **Listeners > New listener**. {% endstep %} {% step %} Double-click the **Syslog** Listener. {% endstep %} {% step %} Enter a **Name** for the new Listener. Optionally, add a **Description** and some **Tags** to identify the Listener. {% endstep %} {% step %} Enter the required **Port** and **Protocol** (**TCP** or **UDP**). For cloud-based Onum installations, the **Socket** and **Protocol** sections are not visible (**port** `443` and **Protocol** `TCP` are used by default). If you see it, enter the required port in the **Port** field. {% hint style="warning" %} Note that by default, available TCP ports are 1024 to 10000. {% endhint %} While UDP 514 is the standard, some implementations may use TCP 514 or other ports, depending on specific configurations or security requirements. To determine the syslog port value, check the configuration settings of your syslog server or consult the documentation for your specific device or application. {% endstep %} {% step %} Choose the required **Framing Method**, which refers to how characters are handled in log messages sent via the Syslog protocol. Choose between: * **Auto-Detect** - automatically detect the framing method using the information provided. * **Non-Transparent Framing (newline)** - the **newline characters** `(\n)` within a log message are **preserved as part of the message content** and are not treated as delimiters or boundaries between separate messages. * **Non-Transparent Framing (zero)** - refers to the way **zero-byte** characters are handled. Any **null byte** (`\0`) characters that appear within the message body are **preserved as part of the message and** are not treated as delimiters or boundaries between separate messages. * **Non-Transparent Framing (custom)** - choose this option if you need to use vendor-specific or custom approaches to frame syslog messages rather than the standard framing methods. You must enter the specific character(s) that will mark the end of each syslog message in the **Custom trailer characters parameter** that appears. * **Octet Counting (message length)** - the Syslog message is preceded by a count of the length of the message in octets (bytes). {% endstep %} {% step %} In cloud-based Onum installations, the **TLS** configuration section is not visible. In these setups, Onum automatically manages **TLS** certificates, eliminating the need for manual configuration. If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain.** Learn how to generate these self-signed certificates in [this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). Once you have them, click **New secret** in each field and add the corresponding values. **Now there are two possible scenarios:** If you didn't enter your **TLS** certificates, when you click **Create listener** you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. Here you will download the certificate (see the[ steps after creation to do this](#download-certificate)). {% hint style="info" %} You can access all this information in the Listener details after creation, so don't worry. {% endhint %} If you entered the TLS certificates, you'll go directly to the Labels when you eventually click **create Listener**. {% endstep %} {% step %} The TLS credentials are saved in Onum as Secrets. In the TLS form, click **New secret** to create a new one: * Give the secret a **Name**. * Turn off the **Expiration date** option. * Click **Add new value.** * Click **Save**.
{% hint style="info" %} Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management). {% endhint %} You can now select the secret you just created in the corresponding fields. {% endstep %} {% step %} Finally, click **Create labels**. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as **Unlabeled**. Click **Create listener** when you're done. {% hint style="info" %} Learn more about labels in [this article](https://docs.onum.com/the-workspace/listeners/labels). {% endhint %} {% endstep %} {% endstepper %} Click **Create listener** when you're done. ### Download certificate Now, download the certificate from the **Listeners** view by clicking the created listener and selecting the three dots in the top right-hand corner of the menu > **Download Certificate**. {% hint style="info" %} This .p12 does not require password to access. {% endhint %} To extract the certificates from the download: ``` #!/bin/bash # Extract certs from certificate.p12 # Client certificate (PEM) openssl pkcs12 -in certificate.p12 -clcerts -nokeys -out client.crt -password pass: # Client private key (PEM) openssl pkcs12 -in certificate.p12 -nocerts -nodes -out client.key -password pass: # CA chain (PEM) openssl pkcs12 -in certificate.p12 -cacerts -nokeys -out ca-chain.crt -password pass: ```