38 lines
1.3 KiB
Markdown
38 lines
1.3 KiB
Markdown
# rsyslog configuration
|
|
an open-source software used on linux computer systems for forwarding log messages through a network. \
|
|
`sudo apt/yum install rsyslog`
|
|
|
|
## server
|
|
### open ports 514 on server
|
|
```
|
|
sudo firewall-cmd --add-port=514/tcp --permament
|
|
sudo firewall-cmd --add-port=514/udp --permament
|
|
sudo firewall-cmd --reload
|
|
```
|
|
|
|
### enable log input modules
|
|
the `/etc/rsyslog.conf` file needs to be modified to receive syslog messages over ports 514 tcp and udp. Uncomment the appropriate lines (see below) and restart the rsyslog service. \
|
|
|
|
|
|
### monitor for incoming logs
|
|
- `tail -f /var/log/messages`
|
|
|
|
|
|
## client
|
|
### configure log forwarding to server
|
|
- rsyslog needs to be installed on client as well: `sudo yum install rsyslog`
|
|
- create the following file: `/etc/rsyslog.d/sec350.conf`, add the line `user.notice @172.16.50.5`, and restart rsyslog
|
|
|
|
|
|
> **_NOTE:_** the line in sec350.conf means: \
|
|
> user = syslog facility \
|
|
> notice = syslog priority \
|
|
> @=UDP, @@ means TCP, so we are only going to send UDP \
|
|
> 172.16.50.5 = Remote Syslog Server
|
|
|
|
#### loggin authpriv messages on linux systems
|
|
|
|
|
|
|
|
### create test log
|
|
- `logger -t test TESTLOG123`
|