A centralised syslog server helps you to keep track of activities that are happening on remote systems. The centralised facility saves time as one does not need to log into each client to check logs and additionaly, it becomes very handy when a remote system crashes or compromised.
A. Server:
I. Installation
By default rsyslog (syslog on older systems) package is installed. If not, one can install it as;
# yum install rsyslog -y
II. Configuration
1. By default rsyslog is not configured to receive logs/messages from remote systems. One needs the enable the remote logging by uncommenting the following in "/etc/rsyslog.conf"
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
2. Once the changes are made, restart rsyslog service as;
# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
3. Check if it is listening on correct ports (both tcp and udp)
# netstat -atupn | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 14374/rsyslogd
tcp 0 0 :::514 :::* LISTEN 14374/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 14374/rsyslogd
udp 0 0 :::514 :::* 14374/rsyslogd
4. Allow the syslog port (port 514) to accept connetion from the clients for both TCP and UDP (an
example only, IP 192.168.1.11 acts as client);
# iptables -I INPUT 4 -p tcp --dport 514 -s 192.168.1.11/24 -j ACCEPT
# iptables -I INPUT 5 -p udp --dport 514 -s 192.168.1.11/24 -j ACCEPT
# service iptables save
# service iptables restart
B. Client:
1. On the client system (i.e. 192.168.1.11), install the rsyslog package as was in server.
2. Open /etc/rsyslog.conf
Navigate to the bottom of the file and add the type of log you want your remote server to keep track of eg. I did the following
*.info;mail.none;authpriv.none;cron.none @192.168.1.10
3. Restart syslog service
# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Now, on the server we may check /var/log/messages file to see if the activities on the remote client is being logged !
Happy logging ! :)
A. Server:
I. Installation
By default rsyslog (syslog on older systems) package is installed. If not, one can install it as;
# yum install rsyslog -y
II. Configuration
1. By default rsyslog is not configured to receive logs/messages from remote systems. One needs the enable the remote logging by uncommenting the following in "/etc/rsyslog.conf"
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
2. Once the changes are made, restart rsyslog service as;
# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
3. Check if it is listening on correct ports (both tcp and udp)
# netstat -atupn | grep 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 14374/rsyslogd
tcp 0 0 :::514 :::* LISTEN 14374/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 14374/rsyslogd
udp 0 0 :::514 :::* 14374/rsyslogd
4. Allow the syslog port (port 514) to accept connetion from the clients for both TCP and UDP (an
example only, IP 192.168.1.11 acts as client);
# iptables -I INPUT 4 -p tcp --dport 514 -s 192.168.1.11/24 -j ACCEPT
# iptables -I INPUT 5 -p udp --dport 514 -s 192.168.1.11/24 -j ACCEPT
# service iptables save
# service iptables restart
B. Client:
1. On the client system (i.e. 192.168.1.11), install the rsyslog package as was in server.
2. Open /etc/rsyslog.conf
Navigate to the bottom of the file and add the type of log you want your remote server to keep track of eg. I did the following
*.info;mail.none;authpriv.none;cron.none @192.168.1.10
3. Restart syslog service
# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
Now, on the server we may check /var/log/messages file to see if the activities on the remote client is being logged !
Happy logging ! :)
No comments:
Post a Comment