Tuesday, June 7, 2016

Enabling Remote Syslogging with rsyslog

If you have a central logging system and you need to forward syslogs from your linux server to it, the commands are pretty simple especially if you're using rsyslog.

First, open the configuration file with your favorite text editor (my choice was nano)

nano /etc/rsyslog.conf

Add to the bottom of the file the following statement where XX.XX.XX.XX is the ip address or hostname of your remote log collection server.

*.* @XX.XX.XX.XX:514

Then restart the syslog service for the changes to take effect

service rsyslog restart

Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip

tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89

You can also verify syslog itself is enabled and working by viewing some of they key log files that should have your logs at the bottom of them

nano /var/log/auth.log
nano /var/log/syslog

Hope that helps make your remote syslogging nice and easy.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment