Install the system log server in Linux

For administrators, logs are very useful, but a large number of logs are very troublesome. When some events run incorrectly, logs can play a vital role in troubleshooting, especially on security-related issues. However, if an attacker harms your host, the log will tell you that it is useful for the host. You need to send a message to the data center. It is very important to protect logs. A central log server can easily manage, analyze, and search for logs. In this regard, I will show you how to centrally collect system logs from multiple hosts to one host for management, that is, the central system log server on Linux.

First, a secure and hardened host should be built for all centralized system log servers. There is nothing about protection and centralization of your logs on the host. Secondly, how can you obtain logs from your host?

Let's start installing the central system log server. I will illustrate the actual standard Linux system logs if rSyslog is used. Ubuntu and Red Hat are often used and managed through the/etc/rsyslog. conf file. The file contains many specified special system logs: Console logs, files logs, and other hosts.

First, we need to load appropriate TCP and UDP plug-ins to support receiving system logs. Add the following code to the rsyslog. conf header:

$modload imtcp$modload imudp$InputTCPServerRun 10514$UDPServerRun 514

The loaded two modules support listening to TCP and UDP ports, and specify which port to accept the event. In this case, use TCP port 10514 and UDP port 514. You need to check the firewall of the local firewall between your host and the central system log server)

Next, we need to specify rules to tell rSyslog where input events are stored. If you do not add any rules, the input events are processed according to the local rules and intertwined with the events on the local host. We need to specify this rule correctly after adding the section above and before processing system logs locally. For example:

if $fromhost-ip isequal '192.168.0.2' then /var/log/192.168.0.2.log& ~

Every system log from 192.168.0.2 should be stored in the/var/log/192.168.0.2.log file. &~ This symbol is very important because it tells rSyslog to stop processing messages. If you forget to write it, the message will go beyond the next rule and continue processing. There are other variables in this rule. For example:

if $fromhost-ip startswith '192.168.' then /var/log/192.168.log& ~

Here we use 192. 168. * to replace all IP addresses starting with this and write them to the/var/log/192.168.log file. You can also see some other filters.

You will need to restart the rsyslog service to activate our new configuration:

$ sudo service rsyslog restart

Now, for the sender's host, we also need to make some changes to the file rsyslog. conf. In the file header, add the following line:

*.* @@192.168.0.1:10514

This is all the events sent, from all source code and all important levels using *. *), through the TCP protocol to the IP address 192.168.0.1 port 10514. You can replace the IP address with the address of your environment. To enable this configuration, You need to restart rSyslog on the host.

You can send your system logs through SSL/TLS. If you transmit system logs over the Internet or other networks, there is no harm. You may find this simple description.

Now, if you do not use this configuration for your configuration management system, you can try Puppet or Cfengine to add this configuration. Then, you can use appropriate system logs to effectively configure each host to ensure that your logs are sent to the central system log server.