Skip to main content

Collecting Syslog Sources

Melissa
  • Updated

Team: Huntress Managed Security Information and Event Management (SIEM)
Product: Syslog-capable appliance (typically firewalls, routers, and other edge devices)
Environment: Local networks with the Huntress Agent installed on either a Windows or Linux endpoint.
Summary: In just a few steps, set up your Huntress Agent to receive and store syslog data. You'll need admin access to your syslog-capable device, admin account-level access in your Huntress Platform, and the ability to manage Defender Firewall or your Linux software firewall on the endpoint that hosts the Huntress Agent you wish to ingest syslog data on.

In this Article

Overview

Before You Begin

Configure the Huntress Rio Agent

Configure Windows Firewalls for Syslog Collection

Configure Linux Firewalls for Syslog Collection

Configure Syslog Sources

Supported Syslog Message Formats

Syslog Timezones

Troubleshooting

Overview

Huntress Managed Security Information and Event Management (SIEM) can collect syslog data from network devices such as firewalls and routers. This guide walks you through configuring the Huntress Rio Agent to receive syslog messages, setting up the necessary firewall rules, and ensuring your syslog sources are sending logs in a compatible format.

Syslog ingestion requires the following:

  1. A Windows or Linux Endpoint with the Huntress Agent Installed
  2. A syslog source like a firewall, appliance, or other syslog generating services.

Skipping or misconfiguring any of these is a common cause of “collector is enabled but no logs are appearing”. 

Before You Begin

Before starting, make sure you have:

  • Admin access to your syslog-capable device (for example, firewall or router).
  • Admin account-level access in the Huntress Platform.
  • Permission to manage the software firewall on the endpoint where the Huntress Agent is installed.
  • Ensure all required communications are allow-listed on the endpoint where the Huntress Agent is installed.

 

Configure the Huntress Agent

  1. Log in to the Huntress Platform and go to SIEM > Source Management.

  2. Select Add Source.

  3. Choose Syslog (Local).

  4. In the top right, select Enable Syslog Collector.

  5. Select the organization and host where you want to collect syslog data.
    1. Huntress supports the use of either Linux or Windows to collect syslog messages.

  6. Enable support for UDP and/or TCP on separate ports as needed. Make sure no other service is using the selected port(s). 

  7. Select Enable Collector to save your configuration.

After a few minutes, the selected organization and hostname will appear under Enabled Syslog Agents once the updated policy applies.

 

Configure Windows Firewalls for Syslog Collection

To allow the Huntress Rio Agent to receive syslog messages, you must create a Windows Firewall rule for the listening port (default: UDP 514). You can do this using PowerShell or manually in Windows Defender Firewall.

Command Method (PowerShell)

Run the following command in PowerShell (replace the port if you are not using the default):

New-NetFirewallRule -DisplayName "Allow Huntress Syslog Collection" -Direction Inbound -Action Allow -Protocol UDP -LocalPort 514 -Program "%ProgramFiles%\Huntress\Rio\Rio.exe"

Manual Method

  1. Open Windows Defender Firewall and go to Advanced Settings

  2. Select Inbound Rules and choose New Rule in the Actions pane. 

  3. Choose Custom Rule and enter the program path (for example, %ProgramFiles%\Huntress\Rio\Rio.exe). 

  4. Select Allow the Connection.

  5. For Protocol and Ports, select UDP and specify port 514 (or your custom port/protocol). 

  6. Complete the wizard and give the rule a name, such as Huntress Syslog Listener.

If your network adapter is set to the Public profile, Windows Firewall may ignore some rules. For best results, use the Domain or Private network profile. See Microsoft documentation for details.

 

Restrictive Defender Firewall Configuration (Optional)

It's HIGHLY recommended that you first test the firewall configuration without a remote IP restriction on your firewall rule. Then once data is flowing, try restricting the IP. If the data stops flowing, then you're not allowing the syslog source IP(s) accurately. 

You can further restrict the firewall rule to allow syslog traffic only from specific devices.

  1. Add the remote IP address of your syslog source to the rule to allow inbound UDP (or TCP) traffic on the specified port. 

  2. Allow the connection because UDP isn’t secure.

  3. Apply the rule to all three profiles: Domain, Private, and Public. 

    Windows Firewall will ignore some firewall rules on the Public profile, so it's highly recommended that your network is configured as a Domain or Private network.

4. Give the rule a name, like Huntress Syslog Listener.

If you later want to collect syslog from additional devices, you must update the rule to include their IP addresses.

 

Configure Linux Firewalls for Syslog Collection

These steps may vary depending on the version of Linux in use, however the two most common solutions can be modified via the following steps:

For Firewalld based distributions (Fedora/CentOS/RHEL):

sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload

For UFW based distributions (Debian/Ubuntu):

sudo ufw allow 514/udp
sudo ufw allow 514/tcp

 

Configure Syslog Sources

After the Huntress Agent and firewall are configured, set up your syslog-capable device to send logs to the agent.

  1. Check to see if there is a Huntress guide for your specific device configuration. If so, follow that guide. If your device is not listed, ensure it can send logs in one of the supported formats below.
  2. In your device’s configuration, set the syslog destination to the Internal IP address of the Huntress Rio Agent host with the correct port and protocol (default: UDP 514).
  3. If your device has an option for TLS/SSL/"secure transmission"/"encrypted syslog message" you must turn it off as UDP is stateless and discontinuous and Huntress SIEM does not support receiving encrypted data with TCP or UDP with syslog sources.
  4. Ensure the device is sending logs in a supported format (see below).

Most devices only need the syslog destination IP and port set. Some may require you to open the port on your internal network.

 

Supported Syslog Message Formats

Huntress Managed SIEM can automatically parse the following syslog standards:

 

Syslog Timezones

For best results, configure your syslog source to send logs in the UTC timezone. Huntress SIEM will automatically convert logs to UTC if the timezone is specified in the log entry.

If the timezone is not specified (common with RFC 3164), Huntress SIEM will assume the log is in UTC.

 

Troubleshooting

If your syslog collector is enabled but you do not see logs in Huntress Managed SIEM:

  • Double-check that the syslog source is configured using the appropriate device guide.
  • Verify that the Huntress Rio Agent is the only program listening on the specified port.
  • Ensure the software firewall rule is active and not blocked by the network profile.
  • Confirm that your device is sending logs in a supported format and to the correct IP/port.

After completing those checks, please see our Troubleshooting SIEM Local Syslog Collection guide.

Skipping the syslog source configuration is a common cause of missing logs. Always follow the device-specific guide if available.

Related articles