Logging

I like Rsyslog better then Syslog-ng but they both are excellent choices

This configuration collects logs from other sources stores the logs in a folder and also forwards the logs to a primary server.

More info on Rsyslog can be found here: http://www.rsyslog.com/

-----------------------------------------------------------------------------------------------------------------------------------------------

# /etc/rsyslog.conf Configuration file for rsyslog.

#

# For more information see

# /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html

#

# Default logging rules can be found in /etc/rsyslog.d/50-default.conf

#################

#### MODULES ####

#################

$ModLoad imuxsock # provides support for local system logging

$ModLoad imklog # provides kernel logging support (previously done by rklogd)

#$ModLoad immark # provides --MARK-- message capability

# provides UDP syslog reception

#$ModLoad imudp

#$UDPServerRun 514

# provides TCP syslog reception

#$ModLoad imtcp

#$InputTCPServerRun 514

###########################

#### GLOBAL DIRECTIVES ####

###########################

#

# Use traditional timestamp format.

# To enable high precision timestamps, comment out the following line.

#

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages

$RepeatedMsgReduction on

#

# Set the default permissions for all log files.

#

$FileOwner syslog

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

#-bww- $PrivDropToUser syslog

$PrivDropToGroup adm

$PrivDropToGroup syslog

#

# Where to place spool files

#

$WorkDirectory /var/spool/rsyslog

#

# Include all config files in /etc/rsyslog.d/

#

$IncludeConfig /etc/rsyslog.d/*.conf

-----------------------------------------------------------------------------------

Additional Configuration Files

20-ufw.conf is the firewall on this linux system

50-default.conf is the other logs on this system

example.conf is the forwarding of logs

ben@LOG:/etc/rsyslog.d$ ls

20-ufw.conf 50-default.conf example.conf

example.conf

#this should(!) be big enough

$MaxMessageSize 64k

#### MODULES ####

# where we're getting logs from

$ModLoad imuxsock

$ModLoad imklog

$ModLoad imudp

$UDPServerRun 514

$ModLoad imtcp

$InputTCPServerRun 514

# set some access rights to written log files

$FileOwner root

$FileGroup adm

$FileCreateMode 0640

$DirCreateMode 0755

$Umask 0022

# do NOT escape control chars

$EscapeControlCharactersOnReceive off

# templates

$template TraditionalRFC3164,"<%PRI%>%timereported% %timegenerated% %HOSTNAME% %syslogt

ag:1:32% %msg:::drop-last-lf%\n"

$template DailyPerHostLogs,"/var/log/remote/%HOSTNAME:::lower%/messages.log"

# json template for logstash

# generic template (cisco, firewall, etc)

$template generic_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:@s

ource_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":\"%msg:::json%\"

,\"@fields\":{%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%app-name:::j

sonf%,%procid:::jsonf%}}"

# windows hosts template (nxlog json)

$template win_nxlog_json,"{%timestamp:::date-rfc3339,jsonf:@timestamp%,%source:::jsonf:

@source_host%,\"@source\":\"syslog://%fromhost-ip:::json%\",\"@message\":%msg%,\"@field

s\":{%app-name:::jsonf%,%syslogfacility-text:::jsonf%,%syslogseverity-text:::jsonf%,%pr

ocid:::jsonf%}}\n"

# Everything from remote hosts to files goes to disk in folders named by host

if ($fromhost-ip != '127.0.0.1') then -?DailyPerHostLogs;TraditionalRFC3164

& ~

# NOTE: use your system's rules for local messages:

# Standard log files. Log by facility.

*.* -/var/log/messages

*.* @192.168.1.30:514

restart syslog

service syslog restart

-------------------------------------------------------------------------------------------------------------------------------------------------

This setup creates a folder for each system sending logs

drwxr-xr-x 2 root syslog 4096 Nov 26 13:08 192.168.1.253

drwxr-xr-x 2 root syslog 4096 Nov 26 11:37 ASA-BWW

------------------------------------------------------------------------------------------------------------------------------------------------

Syslog-NG

More info at https://www.balabit.com/network-security/syslog-ng

# send everything to log host

destination loghost {

tcp("192.168.1.42" port(5140));

};

log {

source(src);

destination(loghost);

};

restart syslog-ng

/etc/init.d/syslogd restart

-------------------------------------------------------------------------------------------------------------------------------------------------

Send test message

logger 'hello Ben'