migrate to git.charlotte.sh

2025-04-19 23:42:08 -04:00 · 2025-04-19 23:42:08 -04:00 · fbd588721e
commit fbd588721e
412 changed files with 13750 additions and 0 deletions
--- a/net-sec-controls-sec350/rsyslog.md
+++ b/net-sec-controls-sec350/rsyslog.md
@ -0,0 +1,38 @@
+# rsyslog configuration
+an open-source software used on linux computer systems for forwarding log messages through a network. \
+`sudo apt/yum install rsyslog`
+
+## server
+### open ports 514 on server
+```
+sudo firewall-cmd --add-port=514/tcp --permament
+sudo firewall-cmd --add-port=514/udp --permament
+sudo firewall-cmd --reload
+```
+
+### enable log input modules
+the `/etc/rsyslog.conf` file needs to be modified to receive syslog messages over ports 514 tcp and udp. Uncomment the appropriate lines (see below) and restart the rsyslog service. \
+![image](../assets/48994d9b-0f17-4626-ab9d-985d37c5e506.png) 
+
+### monitor for incoming logs
+- `tail -f /var/log/messages`
+
+
+## client
+### configure log forwarding to server
+- rsyslog needs to be installed on client as well: `sudo yum install rsyslog`
+- create the following file: `/etc/rsyslog.d/sec350.conf`, add the line `user.notice @172.16.50.5`, and restart rsyslog
+![image](../assets/143d58a5-5713-4425-b1d5-d8f9dcf63cf0.png)
+
+> **_NOTE:_** the line in sec350.conf means: \
+> user = syslog facility \
+> notice = syslog priority \
+> @=UDP, @@ means TCP, so we are only going to send UDP \
+> 172.16.50.5 = Remote Syslog Server
+
+#### loggin authpriv messages on linux systems
+![image](../assets/77c2b1f5-6aa2-4e76-8db6-59feb31cb4fb.png)
+
+
+### create test log
+- `logger -t test TESTLOG123`