Rsyslog is an open-source software utility used for forwarding log messages in UNIX and Unix-like computer systems over IP networks and collecting logs. It implements the basic syslog protocol, extending it with content-based filtering, rich filtering capabilities, flexible configuration options, and features such as TCP transport.
1. Configure the environmentSystem: Debian2. Rsyslog ConfigurationBasically, Linux systems have the Rsyslog service installed but not enabled. Simply modifying the configuration file allows its use.First, if Rsyslog is not installed, install it using (sudo apt-get install rsyslog), ensure logging port 514 is listening. Edit the /etc/rsyslog.conf file as follows:
#provides UDP syslog reception#$ModLoad imudp#$UDPServerRun 514#provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514
Modify to:
#provides UDP syslog reception$ModLoad imudp$UDPServerRun 514#provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514
Save and restart the service with service rsyslog restart
vim /etc/default/rsyslog. (-r to allow receiving external log messages. -x to disable incomplete dns records or other log center logs)RSYSLOGD_OPTIONS=”-c5 -r -x” Note 1Save and exitRestart rsyslog
service rsyslog restart
Check if it has started
netstat -nultp | grep 514
Ensure that the firewall allows 514tcp/udp ports
To save incoming logs based on IP, simply add the following configuration:
:FROMHOST-IP,isequal, "sending host IP" save path:FROMHOST-IP,isequal, "192.168.1.80" /var/log/rsyslog/192.168.1.80/Snort.log:FROMHOST-IP,isequal, "192.168.1.127" /var/log/rsyslog/192.168.1.127/Ossec.log
Note:1. Add the -r option to allow receiving external log messages# Add -x to disable incomplete dns records or other log center logs# Add -m to modify syslog’s internal mark message write interval time (0 to turn off). For example, -m 180 means adding a timestamp message to the log file every 180 minutes (8 times a day)# Add -h By default syslog does not send received messages from remote to other hosts, but this option enables it, allowing all received information to be forwarded to the @host defined in syslog.conf.