Sending data to Loom using a relay

In Loom we provide you with 2 options for setting up a syslog relay.

  1. installing and setting up the relay on your machine manually.
  2. Use the Rsyslog Docker-container Loom provides.

Choosing your relay

How do you know which relay better suits your needs?
Based on the user's experience, we recommend using the Docker for novice users, since it does not require doing any setup; And we only recommend using the manual installation for experienced users who are looking for a higher customization level .

For either method, you will have to use a machine that answers the following:

  • The machine has a static IP.
  • Port 6514 TCP is open outbound.

1- Installing Rsyslog relay 

This guide will describe setting up a Syslog relay server using Rsyslog on a CentOS 7.2 host. Rsyslog runs on all popular operating systems, so the solution should work (even on Microsoft Windows!).

This guide assumes you also already have Rsyslog installed (and preferably, updated).

First step - obtaining Loom CA certificate (required for setting up encryption)

Run the following commands:

sudo mkdir -p /etc/rsyslog.d/keys/ca.d
sudo curl -o /etc/rsyslog.d/keys/ca.d/loom.cer https://static.loomsystems.com/loom.cer
sudo yum install rsyslog-gnutls

Second step - configuring the relay server

 Open the following file for editing:

/etc/rsyslog.d/10-loom.conf

In this file, paste the following:

# uncommend for TCP input. Note that you might need to change the port if it is already in use
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

# UDP input
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/loom.cer
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.loomsystems.com

$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1     # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

# forward then drop the relayed messages
:fromhost-ip, isequal, "<sending-ip>" @@<customer-name>-data.loomsystems.com:6514
:fromhost-ip, isequal, "<sending-ip>" ~

Replace the following:
<customer-name> - you can find this in the domain you use to access Loom (i.e. <cusotmer-name>.loomsystems.com)
<sending-ip> - the IP of the host you want to relay data from
You can add additional forwarding statements if you want to relay more than one host.

Create the spool folder and restart Rsyslog for the configuration to load:

sudo mkdir -p /var/spool/rsyslog
sudo systemctl restart rsyslog

Final step - configure your servers to forward Syslog to the relay 

For appliances (e.g. firewalls), this is usually done via the web-portal of the appliance.
For Linux machines, this can be done by configuring Rsyslog.

2- Docker Rsyslog relay

The following steps will show you how to start and configure your Loom rsyslog relay Docker on any machine that has Docker.

After you've installed docker, make sure it's up by running docker ps 

Run the container

docker run -d --privileged \
    -e CUSTOMER_NAME=<customer name> \
    [-e DEBUG=true] \
    -p 514:514/tcp -p 514:514/udp \
    --name loom-syslog-relay \
    loomsystems/loom-rsyslog-relay-docker

This starts the relay container. The container has the port 514 open for TCP and UDP

Configuration with environment variables

  • CUSTOMER_NAME  - customer's name (same as your prefix in Loom's URL, so if your URL to access Loom is: test.loomsystems.com , your customer name is "test").
  • DEBUG  [true | false] - start Rsyslog with debug mode on (default is false). Optional

Please contact us if you need help :)

Did this answer your question?