Install vector
curl --proto '=https' --tlsv1.2 -sSfL https://sh.vector.dev | bash
this will install vector in home directory, move it to /usr/local
mv /root/.vector /usr/local/vector/
create a config file
vim /usr/local/vector/config/syslogd.json
copy the folloiwng contect to that file
{
"sources": {
"eventlogs": {
"type": "syslog",
"address": "0.0.0.0:514",
"mode": "udp"
}
},
"sinks": {
"qryn": {
"type": "loki",
"inputs": [
"eventlogs"
],
"endpoint": "http://127.0.0.1:3100",
"out_of_order_action": "accept",
"compression": "none",
"encoding": {
"codec": "json"
},
"labels" : {
"system": "nyc01"
}
}
}
}save and exit. Now create service file for Vector
[Unit]
Description=Vector
Documentation=https://vector.dev
After=network-online.target
Requires=network-online.target
[Service]
User=root
Group=root
ExecStartPre=/usr/local/vector/bin/vector validate --no-environment --config-json /usr/local/vector/config/syslogd.json
#ExecStart=/usr/local/vector/bin/vector --config /usr/local/vector/config/syslogd.json
ExecStart=/usr/local/vector/bin/vector --config /usr/local/vector/config/syslogd.json
ExecReload=/usr/local/vector/bin/vector validate --no-environment --config-json /usr/local/vector/config/syslogd.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=always
AmbientCapabilities=CAP_NET_BIND_SERVICE
EnvironmentFile=-/etc/default/vector
# Since systemd 229, should be in [Unit] but in order to support systemd <229,
# it is also supported to have it here.
StartLimitInterval=10
StartLimitBurst=5
[Install]
WantedBy=multi-user.targetsave and exit. Start vector service
systemctl daemon-reload
systemctl start vector
Use Solarwind Event Forwarder to send Windows logs to rsyslog
Enjoy ;)