Rsyslog

From Network Security Wiki
Jump to navigation Jump to search



Syslog Server

Rsyslog will be installed by default in Latest Ubuntu server. Install it if it is not already installed:

sudo apt-get install rsyslog

Edit the Rsyslog config file

sudo nano /etc/rsyslog.conf
# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Restart rsyslog service

sudo service rsyslog restart

Verify if the Server listens to this port

netstat -an | grep 514

Validate your rsyslog configuration file:

sudo rsyslogd -N1

Syslog Client

  • On the Client Machine:
sudo nano /etc/rsyslog.d/50-default.conf
  • Add the following line at the top of the file before the log by facility section, :
/etc/rsyslog.d/50-default.conf
*.*                         @10.107.88.93:514


  • In case you want only certain syslog alerts to be logged to remote server:
auth,authpriv.*              @10.107.88.93:514
  • Settings for when Rsyslog Server would be down:
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
  • Restart rsyslog service
sudo service rsyslog restart

For verification, below command will generate a new Syslog file:

logger “Hello World”
logger –t ScriptName “Hello World”
logger -p local4.info "This is a info message from local 4"



References





blog comments powered by Disqus