# Linux Server Logs Linux servers generate system, authentication, and service logs that record host activity relevant to detecting lateral movement, privilege escalation, and post-compromise behavior. Connecting Linux servers forwards rsyslog system logs to Radiant Security through the Radiant Agent over TCP syslog. Radiant uses Linux server logs to correlate host events with alerts from other connectors, giving analysts the supporting context needed to reach a verdict during AI triage. ### Prerequisites * [ ] Root access on each Linux server to forward logs from * [ ] rsyslog package installed on each Linux server * [ ] A deployed [Radiant Agent](/radiant-connectors/data-connectors/install-the-radiant-security-agent.md) reachable from the Linux servers * [ ] Administrator role in Radiant Security ### Add the data connector in Radiant Security 1. Log in to [Radiant Security](https://app.radiantsecurity.ai/). 2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**. 3. Search for and select **Radiant Agent**, then click **Data Feeds**. 4. Under **Select your data feeds**, select **Linux Server Logs**, then click **Credentials**. 5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Radiant Agent Integration`). To reuse an existing Radiant Agent credential, select it from the drop-down menu. 6. Click **Add Connector**. ### Configure rsyslog to forward logs Before starting, confirm the IP address or hostname of the Radiant Agent and the port configured to receive Linux server logs. If you do not know the port, contact your Customer Success representative. Repeat the following steps on each Linux server you want to forward logs from. 1. Open a root shell on the Linux server: ```bash sudo su - ``` Enter your password when prompted. 2. Verify rsyslog is installed: ```bash dpkg --list | grep rsyslog ``` If rsyslog is installed, the output is similar to `ii rsyslog 8.2312.0-3ubuntu9.1`. If the command returns no output, install rsyslog with `apt install rsyslog`. {% hint style="info" %} The `dpkg` and `apt` commands apply to Debian and Ubuntu. On RHEL and derivatives, use `rpm -q rsyslog` and `yum install rsyslog` or `dnf install rsyslog`. {% endhint %} 3. Create a new rsyslog configuration file in `/etc/rsyslog.d/`: ```bash nano /etc/rsyslog.d/100-radiant-agent.conf ``` 4. Paste the following configuration into the file: ``` action( type="omfwd" target="RADIANT_AGENT_HOST" port="RADIANT_AGENT_PORT" protocol="tcp" template="RSYSLOG_ForwardFormat" queue.type="linkedList" ) ``` Replace the placeholders with the values you confirmed at the start of this section: * `RADIANT_AGENT_HOST`: the IP address or hostname of the Radiant Agent. * `RADIANT_AGENT_PORT`: the port configured on the Radiant Agent to receive Linux server logs. {% hint style="info" %} The `queue.type="linkedList"` setting prevents rsyslog from blocking on the local host if the Radiant Agent becomes unreachable. Buffered messages are forwarded once the agent is reachable again. {% endhint %} 5. Save the file by pressing `Ctrl + O`, then `Enter`. Exit nano by pressing `Ctrl + X`. 6. Confirm the configuration file was created: ```bash ls /etc/rsyslog.d/100-radiant-agent.conf ``` The command should return the full file path. If it returns `No such file or directory`, repeat steps 3 through 5. 7. Restart the rsyslog service: ```bash systemctl restart rsyslog ``` 8. Confirm the service is running: ```bash systemctl status rsyslog ``` The output should include `Active: active (running)`. Once rsyslog has been configured on every Linux server in scope, the Radiant Agent receives logs from each server on the configured port and forwards them to Radiant for AI triage. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/linux-server-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.