First, open the configuration file with your favorite text editor (my choice was nano)
nano /etc/rsyslog.conf
Add to the bottom of the file the following statement where XX.XX.XX.XX is the ip address or hostname of your remote log collection server.
*.* @XX.XX.XX.XX:514
Then restart the syslog service for the changes to take effect
service rsyslog restart
Then validate syslogging is actually sending by running tcpdump and capturing traffic going outbound to that ip
tcpdump -i eth0 host XX.XX.XX.XX
listening on eth0
13:41:57.322554 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.notice, length: 101
13:41:57.322909 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 104
13:41:57.323224 IP YY.YY.YY.YY.57529 > XX.XX.XX.XX.514: SYSLOG authpriv.info, length: 89
You can also verify syslog itself is enabled and working by viewing some of they key log files that should have your logs at the bottom of them
nano /var/log/auth.log
nano /var/log/syslog
Hope that helps make your remote syslogging nice and easy.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment