Starting the Syslog Writer

To start the syslog writer:

  1. Check the images list. If the list contains syslogwriter_image, delete it first.

    sudo docker images

  2. Copy the zip file from SFTP to a convenient location and extract it. On a Windows Server VM, make sure that the extracted folder is under the shared folder, c:\Users.

    For example, the extracted folder: C:\Users\<username>\apps\cisp_syslog_writer

  3. Load the image from the tar file and make sure that syslogwriter_image is in the images list:

    cd <extracted_path>/cisp_syslog_writer
    sudo docker load < syslog-writer-img.tar.gz
    sudo docker images

  4. Run the Syslog Writer container.

    Note:   To run version 20.1-100, specify the version at the end of the command.

    For a cloud tenant, you can run this command directly. However, if you are using an On-Premise Tenant, refer to additional steps in next section before running the following run command.

    sudo docker run --name syslog-writer -it --log-driver json-file --log-opt max-size=10m --net=host -v `pwd`/data:/home/centrify-syslog-writer/data syslogwriter_image:20.1-100

    If SELinux enabled in CentOS/RHEL, run the following command:

    sudo docker run --name syslog-writer -it --log-driver json-file --log-opt max-size=10m --net=host -v `pwd`/data:/home/root/centrify-syslog-writer/data:Z syslogwriter_image:20.1-100

  5. When prompted, enter:
    • The Tenant URL (for example,
    • The username and password of the SIEM user
    • The IP address of Syslog server if it is remote. Otherwise, just press enter for a local Syslog server. Note that for Windows Servers, this is the IP address of Machine #2.
  1. Check CISP events on the Syslog server.

    Your syslog writer is up and running. The first run starts immediately. Because the default value for the frequency parameter is five minutes, the Syslog Writer will run once every five minutes.