Setting Up Syslog

Intro

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Wikipedia

Syslog Server Setup

The first thing we will do to setup our syslog server is allow the syslog traffic through the firewall. No point in running the service if it can’t communicate with clients. Since we are doing this on CentOS we will use firewall-cmd to setup firewall rules. Syslog uses TCP and UDP port 514 by default. The firewall commands should be firewall-cmd --add-port=514/tcp --permanent , firewall-cmd --add-port=514/udp --permanent, and firewall-cmd --reload. You can use firewall-cmd --list-all to view if the rules where created successfully. You can also use netstat -tupan | grep 514 to look at the active sockets on TCP or UDP port 514.

Now that the firewall is configured let's move on to the syslog service. We will edit the /etc/rsyslog.conf file to allow it to accept remote logs. You will want to ensure that the following lines are uncommented.

From there you can restart the syslog service on the server to apply the changes. Use systemctl restart rsyslog.

Syslog Client Setup

Setting up syslog on a client is relatively simple. We will create a new file in /etc/rsyslog.d/ and name it whatever we want. In this case, the file will be called sec350.conf. The image below shows the contents of the sec350.conf file.

The user portion of the line indicates the syslog facility. The notice section is the syslog priority. The single @ indicates that the traffic will be sent via UDP (you can use @@ for TCP). The final section, 172.16.50.5, indicates the IP address of the remote syslog server. From here we will want to restart the syslog service for the new setting to apply. This is done with systemctl restart rsyslog. You can use logger -t test TESTMESSAGE to test if logs are being sent to the server. Just remember to use tail -f /var/log/messages on the remote server.

Updated Section

Server

In lab 2-1 we updated the rsyslog configuration file. The new configuration file will create and name files dynamically based on hostname, date and process name. Input over udp 514 is associated with the RemoteDevice ruleset which in turn uses the dynamic template configuration called “DynFile”.

For this lab we are using the provided configuration file. That file can be found here. The contents of the file can be seen below.

module(load="imudp")
input(type="imudp" port="514" ruleset="RemoteDevice")
template(name="DynFile" type="string"
	string="/var/log/remote-syslog/%HOSTNAME%/%$YEAR%.%$MONTH%.%$DAY%.%PROGRAMNAME%.log"
)
ruleset(name="RemoteDevice"){
	action(type="omfile" dynaFile="DynFile")
}

To get this on the syslog server we will simply use wget. wget https://raw.githubusercontent.com/gmcyber/sec350-share/main/03-sec350.conf

Now if we run the command ls -lR --color /var/log/remote-syslog/ we can see the dynamically created files and directories.

Client

On web01 we are going to update the /etc/rsyslog.d/sec350.conf file. The new file will have authpriv.* @172.16.50.5 appended to the end. Make sure to restart the service after making the change.

We can also set up VyOS to send logs to syslog. To do this run the following commands.

configure
set system syslog host 172.16.50.5 facility authpriv level info 
commit
save