rsyslog - Cyber-JL/SEC-350-01 GitHub Wiki

Lab 1.1 Routing and DMZ

log01

  1. Install rsyslog by running the following command:

    sudo yum install rsyslog -y

  2. Allow port 514/UDP and 514/TCP throught the firewall:

    firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --permanent --add-port 514/tcp
firewall-cmd --reload

  3. Then edit rsyslog.conf to receive syslog messages via the specifed ports:

     vi /etc/rsyslog.conf

2023-01-16 15_06_39-VMware Horizon

  1. Then check if rsyslog is listening:

    netstat -tupan | grep 514

2023-01-16 15_08_03-VMware Horizon

web01

  1. On web01 install rsyslog:

    sudo yum install rsyslog -y

  2. Then create the following file: /etc/rsyslog.d/sec350.conf:

    vi /etc/rsyslog.d/sec350.conf

2023-01-16 15_10_37-VMware Horizon

   NOTE:
   the line in sec350.conf means:
   user=syslog facility
   notice=syslog priority
   @=UDP, @@ means TCP, so we are only going to send UDP
   172.16.50.5=Remote Syslog Server

Test rsyslog messaging from web01 to log01

  1. on log01 run the following command:

    tail -f /var/log/messages

  2. From web01, after restarting rsyslog, run the command:

     logger -t test TESTFROMWEB01TOLOG01

rw01->SSH->web01->SSH->log01

  1. lastly on rw01 in a terminal ssh to web01

     ssh [email protected]

  2. one sshed into web01 ssh into log01 from there

     ssh [email protected]

Lab 2.2 - Syslog Organization

Custom rsyslog drop in file of log01

  1. run the following command to change directory:

    cd /etc/rsyslog.conf

  2. in /etc/rsyslog.conf manually pull the provided file using the link https://raw.githubusercontent.com/gmcyber/sec350-share/main/03-sec350.conf:

    wget https://raw.githubusercontent.com/gmcyber/sec350-share/main/03-sec350.conf

  3. This configuration file will dynamically create and name files based upon hostname, date and process name. Input over udp 514 is associated with the RemoteDevice ruleset which in turn uses the dynamic template configuration called “DynFile”.

  4. restart rsyslog on Log01 and test via web01

  5. then on web01 Modify the rsyslog client configuration on web01 so that authentication events are forwarded to our log server. Make sure to restart the rsyslog service on web01. Reminder. This entry goes on web01 not log01. If you botch this you will set up a logging loop that will rather quickly fill up log01's hard drive.

  6. test Log01 Organization

    logger -t SEC350 Testing web01->log01 custom rsyslog configuration

  7. Logging Authorization Events

    1. In /etc/rsyslog.d/sec350.conf add the following:

    2023-01-23 15_59_27-Lindale_ Lab 2 2 - Syslog Organization on log01 - Google Docs

  8. restart rsyslog