rsyslog config

--- tags: ccdc --- # rsyslog config --- > 02/19/2019 > Joel D. Keller --- ## Server configuration: ### Steps * Insure rsyslog is installed just check and see if `/etc/rsyslog.d/` exists (it is default on most linux systems.) * Then in a root terminal type `nano /etc/rsyslog.conf` * Then uncomment these lines: ``` bash # provides UDP syslog reception # $ModLoad imudp # $UDPServerRun 514 # provides TCP syslog reception # $ModLoad imtcp # $InputTCPServerRun 514 ``` * (These are normally lines 19 and 20 and lines 22 and 23.) by removing the `#` from the beginning of each line. This will allow the server to receive system logs over either tcp or udp. * Then below `$InputTCPServerRun 514` put the lines: ``` bash $template RemoteLogsTesting,"/var/log/remotehosts/%HOSTNAME%/%$now%_%$hour%.log" if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting & stop ``` * Then press `control+x` then `y` then Enter. You will find yourself back at a terminal prompt. * Then in a root terminal run `service rsyslog restart`. * Ensure your firewall allows traffic on port 514. Now your server is ready to receive logs. * Use the command: 'tail -f /var/log/remotehost/'date-of-logging'.log' to watch the combined logs. ### Relavent portions of the final server config ``` bash # provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 $template RemoteLogsTesting,"/var/log/remotehosts/%HOSTNAME%/%$now%_%$hour%.log" if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting & stop ``` --- ## Client Configuration ### Linux Client configuration: #### Steps * Insure rsyslog is installed just check and see if `/etc/rsyslog.d/` exists (it is default on most linux systems.) * Then in a root terminal run: `nano /etc/ryslog.d/50-default.conf` If this file is empty skip to step 4. * If the file is not empty press control+x and back in the root terminal run: `mv /etc/rsyslog.d/50-default.conf /etc/rsyslog.d/50-default.old` This command should have no output. Then type: `nano /etc/ryslog.d/50-default.conf` The file should now be empty. * At the top of the file add the line: `*.* @ip.ip.ip.ip:514` where the ip.ip.ip.ip is the IP Address of the log server. * Then press `control+x` then `y` then Enter. You will find yourself back at a terminal prompt. * Then in a root terminal run `service rsyslog restart`. * Ensure your firewall allows traffic on port 514. Now your client should send all its logs to your rsyslog server. #### Relavent portions of the final linux client config ``` bash *.* @ip.ip.ip.ip:514 ``` ### FreeBSD Client Configuration: #### Steps * In a root terminal type: `vi /etc/rc.conf` and press the `i` key to enter insert mode in the opened document. * Then at the bottom of the document on a new line add the lines: ``` sh syslogd_enable="YES" syslogd_flags="-s -vv" ``` * Then press `shift+:` then type `wq` then press enter. You will find yourself back at a terminal prompt. * in the root terminal run: `mv /etc/syslog.conf /etc/syslog.old` * In a root terminal type: `vi /etc/syslog.conf` and press the `i` key to enter insert mode in the opened document. * At the top of the file add the line: `*.* @ip.ip.ip.ip:514` where the ip.ip.ip.ip is the IP Address of the log server. * Then press `shift+:` then type `wq` then press enter. You will find yourself back at a terminal prompt. * Then in the root terminal type: `/etc/rc.d/syslogd restart` * Ensure your firewall allows traffic on port 514. Now your client should send all its logs to your rsyslog server. To test type: `logger "Test message from FreeBSD logclient"` and check the server. ### Windows Client Configuration: #### Installation Guide: * Open a web browser * navigate to: http://www.rsyslog.com/windows-agent/windows-agent-download/ SHORT URL: http://bit.do/rsyslogWin * Download Windows Rsyslog Agent 1.1b *newer versions don't work sometimes* * execute downloaded file * Go through installation wizard and install it to a location * setup type should be complete * hit install * Once download finishes navigate to the downloaded folder and open the application * select your preferred language and hit start * You have now installed rsyslog agent #### Usage Guide: * On Rsyslog Windows Agent Configuration Client Navigate to RuleSets → DefaultRuleSet → ForwardSyslog → Actions → Rsyslog * Change Syslog Server to IP of your syslog server * hit save * Navigate to Templates → ServiceTemplates → File&System Monitoring Services → Event Log Monitor V2 * Everything should be currently selected as default. * Deselect everything except Security * hit save * at the tool bar of Rsyslog Agent hit the run icon |> * Rsyslog Should now be running and sending security logs to your specified server on port 514. Other log files can be specified at your own choosing. ## rsyslog log rotate script ### Script ``` bash #!/bin/bash remote_folder="/var/log/remotehosts/" hours_unzipped="3" months_kept="6" zip_date=$(date -d "-$hours_unzipped hours" +%s) month_del=$(date -d "-$months_kept months" +%s) for l in $(find $remote_folder | grep '\.log' | cut -d '.' -f1); do #echo $(echo $l | cut -d "/" -f6) curr=$(date -d $(echo $l | cut -d "/" -f6) +%s) if [[ "$curr" < "$zip_date" ]] then echo "zipped "$l; gzip --best -c $l'.log' > $l'.gz' rm -f $l'.log' fi done for l in $(find $remote_folder | grep '\.gz' | cut -d '.' -f1); do curr=$(date -d $(echo $l | cut -d "/" -f6) +%s) if [[ "$curr" < "$month_del" ]] then echo "deleted "$l; rm -f $l'.gz' fi done logger 'rsyslog rotate ran.' ``` ### Autorun As root: ``` bash crontab -e # edit the crontab # m h dom mon dow command 0 * * * * bash /full/path/to/rsyslog_rotate.sh >> /full/path/to/rotate.log # run every hour on the hour ``` ### Manual run ``` bash bash /full/path/to/rsyslog_rotate.sh ```