This document has the instructions required to setup a centralized log server. This should be a minimum requirement for all organizations. A must have tool for intrusion prevention and detection.
Server Setup
Install rsyslog and vim text editor.
|
1 |
yum install rsyslog vim |
Edit the configuration file.
|
1 |
vim /etc/rsyslog.conf |
Ensure the configuration file has the following enabled.
|
1 2 3 4 5 6 7 |
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 |
Restart the service to allow the change of configuration to take effect.
|
1 |
/etc/init.d/rsyslog restart |
The following command “netstat” will check to see which ports are open on the system and listening. Port 514 should be open and listening, waiting for logs to be shipped from the client.
|
1 2 3 4 5 6 7 8 9 10 |
[root@f842608432ca /]# netstat -lpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 183/rsyslogd tcp 0 0 :::514 :::* LISTEN 183/rsyslogd udp 0 0 0.0.0.0:514 0.0.0.0:* 183/rsyslogd udp 0 0 :::514 :::* 183/rsyslogd Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path [root@f842608432ca /]# |
If the above ports appear open, then the server configuration is operating correctly.
Client Setup
Let install rsyslog and vim text editor
|
1 |
yum install rsyslog vim |
Edit config file.
|
1 |
vim /etc/rsyslog.conf |
Appending the following line to the end of the configuration file. Ensure you change the IP address of the forward to the IP address of the rsyslog server configured earlier.
|
1 2 3 |
*.* @172.17.0.3:514 cron.* @172.17.0.3:514 mail.* @172.17.0.3:514 |
Restart rsyslog to allow the changes to take effect.
|
1 |
/etc/init.d/rsyslog restart |
To test, issue the following command and tail the logs of the rsyslog server.
|
1 |
logger -i -t cron "CRON JOB DID NOT START!" |
You should see the above quoted line appear on the servers logs.
