Versão avaliada: Debian 12
Remova o rsyslog:
# apt remove --purge rsyslog -y
Crie o repositório para o logs:
# mkdir /mnt/resource/SYSLOG
Configure o firewall local com as liberações de portas:
# apt install ufw -y
# ufw logging full
# ufw default deny incoming
# ufw default deny outgoing
# ufw allow from 192.168.1.0/24 to 192.168.1.114 port 22 proto tcp
#### ufw allow from 192.168.1.0/24 to 192.168.1.114 port 80 proto tcp
#### ufw allow from 192.168.1.0/24 to 192.168.1.114 port 443 proto tcp
# ufw allow from 192.168.1.0/24 to 192.168.1.114 port 514 proto udp
# ufw allow from 192.168.1.0/24 to 192.168.1.114 port 514 proto tcp
# ufw allow from 192.168.10.0/24 to 192.168.10.114 port 514 proto tcp
# ufw allow from 192.168.10.0/24 to 192.168.10.114 port 514 proto udp
# ufw allow from 192.168.10.0/24 to 192.168.10.114 port 601 proto tcp
# ufw allow from 192.168.10.0/24 to 192.168.10.114 port 6514 proto tcp
# ufw allow out from 192.168.10.114 to any port 53 proto udp
# ufw allow out from 192.168.10.114 to any port 80 proto tcp
# ufw allow out from 192.168.10.114 to any port 123 proto udp
# ufw allow out from 192.168.10.114 to any port 443 proto tcp
# ufw enable
Nota: Ajustes os IPs conforme seu ambiente.
Inicalmente defina o nome correto do servidor e que seja o mesmo para no serviço DNS:
# hostnamectl set-hostname hl114.local.domain --static
# vi /etc/hosts
192.168.10.114 hl114.local.domain hl114
# reboot
Gerando a chave privada.
# cd /etc/ssl
# openssl genrsa -aes256 -out hl114.local.domain.key 4096
Enter PEM pass phrase: Insira um password
Verifying - Enter PEM pass phrase: Insira novamente o password
# openssl rsa -in hl114.local.domain.key -out hl114.local.domain.key
Enter pass phrase for hl114.local.domain.key: Insira o password
writing RSA key
Gerando o certificado.
# openssl req -new -key hl114.local.domain.key -out hl114.local.domain.csr
...
Country Name (2 letter code) [AU]:BR
State or Province Name (full name) [Some-State]:PARANA
Locality Name (eg, city) []:CURITIBA
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Domain
Organizational Unit Name (eg, section) []:TI
Common Name (e.g. server FQDN or YOUR name) []:<hl114.local.domain ou 192.168.10.114>
Email Address []:sem@email.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: <press Enter>
An optional company name []: <press Enter>
Certificado autoassinado e definindo período de vigência.
# openssl x509 -days 3650 -in hl114.local.domain.csr -out hl114.local.domain.crt -req -signkey hl114.local.domain.key
Signature ok
subject=C = BR, ST = PARANA, L = CURITIBA, O = Domain, OU = TI, CN = 192.168.10.114, emailAddress = sem@email.com
Getting Private key
Instale o syslog:
# apt install syslog-ng -y
As configurações abaixo são adicionais ao ambiente em conjunto com as configurações que estão em syslog-ng.conf
Configure o serviço do syslog:
# vi /etc/syslog-ng/conf.d/local.conf
options {
threaded (yes);
flush_lines (0);
time_reopen (10);
log_fifo_size (100000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};
source s_hosts {
tcp(ip(0.0.0.0) port(514) );
udp(ip(0.0.0.0) port(514) );
};
destination d_files {
file("/mnt/resource/SYSLOG/hosts/$HOST.log"
owner(root) group(root) perm(0644) dir_perm(0755) );
};
log { source(s_hosts); destination(d_files); flags(flow-control); };
Armazenar os logs no Elasticsearh, instalae o pacote abaixo.
# apt install syslog-ng-mod-http
Crie o arquivo de configuração.
# vi /etc/syslog-ng/conf.d/logstash.conf
@requires http
options {
threaded (yes);
flush_lines (0);
time_reopen (10);
log_fifo_size (100000);
chain_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (yes);
keep_hostname (yes);
};
source s_file {
file("/mnt/resource/SYSLOG/hosts/192.168.10.1.log");
file("/var/log/messages");
file("/var/log/syslog");
file("/var/log/auth.log");
file("/var/log/user.log");
file("/mnt/resource/SYSLOG/hosts/SWBRHM001-1.log");
};
destination d_logstash {
syslog("192.168.10.119" transport("tcp") port(5047));
};
log { source(s_file); destination(d_logstash); flags(flow-control); };
Testar a configuração
# syslog-ng-debun -r
OU
# syslog-ng -Fedtv
Reinicie o serviço:
# systemctl status syslog-ng.service
# systemctl restart syslog-ng
Avaliar o funcionamento:
# lsof -n | grep syslog-ng
...
syslog-ng 2619 2624 syslog-ng root 34w REG 254,2 2063 67144282 /mnt/resource/SYSLOG/2023-08-12/192.168.10.1.log
syslog-ng 2619 2624 syslog-ng root 35w REG 254,2 144 67144283 /mnt/resource/SYSLOG/2023-08-12/192.168.1.45.log
...
Com o tcpdump:
# apt install tcpdump -y
# tcpdump -ni ens192 port 514 -A | grep <IP>
Link: 1 / 2 / 3
Acesse o arquivo de configuração e adicione os novos arquivos de log que forem criados.
# vi /etc/logrotate.d/syslog-ng
....
/var/log/debug
/var/log/messages
/var/log/error
/mnt/resource/SYSLOG/hosts/192.168.10.1.log
/mnt/resource/SYSLOG/hosts/SWBRHM001-1.log
....
Reinicie o serviço.
# systemctl restart syslog-ng.service