Rsyslog

From Network Security Wiki



Syslog Server

Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed:

sudo apt-get install rsyslog

Edit the Rsyslog config file

sudo nano /etc/rsyslog.conf
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart rsyslog service

sudo service rsyslog restart

Verify if the Server listens to this port

netstat -an | grep 514

Validate your rsyslog configuration file:

sudo rsyslogd -N1

Syslog Client

  • On the Client Machine:
sudo nano /etc/rsyslog.d/50-default.conf
  • Add the following line at the top of the file before the log by facility section, :
/etc/rsyslog.d/50-default.conf
*.*                         @10.107.88.93:514


  • In case you want only certain syslog alerts to be logged to remote server:
auth,authpriv.*              @10.107.88.93:514
  • Settings for when Rsyslog Server would be down:
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
  • Restart rsyslog service
sudo service rsyslog restart

For verification, below command will generate a new Syslog file:

logger “Hello World”
logger –t ScriptName “Hello World”
logger -p local4.info "This is a info message from local 4"

Generate Syslog messages

  • Test UDP syslog messages on port 514 with the following command:
echo "<14>Test UDP syslog message" >> /dev/udp/<target_hostname_or_ip_address>/514
  • Test TCP syslog messages on port 514 with the following command:
echo "<14>Test TCP syslog message" >> /dev/tcp/<target_hostname_or_ip_address>/514


References





{{#widget:DISQUS |id=networkm |uniqid=Rsyslog |url=https://aman.awiki.org/wiki/Rsyslog }}