Categories
Linux Security

basic rsyslog server and client configuration

In this post I want to show you how to configure rsyslog server and clients in a simple way and automate the installation and configuration with ansible.

Why?

Yeah logging and scrolling through logs can be boring. But the day will come, when you need these logs for example for debugging programs or find out what went wrong when something like security incidents happend.

rsyslog

rsyslog has been around for a while. It has aged well and is still widely used in the Linux world. The r in rsyslog stands for remote. In other words, we can store the log files centrally on a remote server. This has the advantage that if something happens on our servers, our logs are not necessarily lost.

Installation

The installation process is straight forward in the most linux distributions. Here an example for Ubuntu and Debian:

sudo apt-get update -y
sudo apt-get install rsyslog -y

for REHL systems use:

sudo yum install rsyslog -y

After installation you will have to start and enable the service. This will start rsyslog in the background and if the server or client reboots, rsyslog will start automatically.

sudo systemctl start rsyslog
sudo systemctl enable rsyslog
sudo systemctl status rsyslog

The last command is for checking if the service is running.

Configuration

The entire configuration can be done in one file.

vi /etc/rsyslog.conf

Server

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="imjournal") # provides support for local system logging (e.g. via logger command)
#module(load="immark")  # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
######################
### OWN STUFF ########
######################
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~

The bold written text is the important stuff. First we load some logging modules with the modules load commands. Than we define that our rsyslog server is only listening on UDP port 514. You could also enable 514 TCP but in my case, I’m fine with UDP.

At the end, I added the $template line to define how the received logs are getting saved.

# to check rsyslog configuration syntax
rsyslogd -f /etc/rsyslog.conf -N1
sudo systemctl restart rsyslog

Client

Just use the same path for configuring rsyslog before and add the following lines to send the most common logs to the rsyslog server. You will have to adjust the target (Server IP address) and maybe the protocol (tcp?) and queue.size (hope this doesn’t get larger than 1Gb).

*.*  action(type="omfwd" target="192.168.178.6" port="514" protocol="udp"
            action.resumeRetryCount="-1"
            queue.type="linkedList" queue.size="1073741824")
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

And also restart the rsyslog service.

Logfiles

Now you should see the client and server logs in the /var/log/YOUR-HOSTNAME directory.

this post will be continued.