Tag Archives: central logging server

Central Rsyslog server with TLS encrytion. | rsyslog log central splunk

Certificate setup.

Server Certificate.

Create the following directory

Install the following package to enable encryption on rsyslog.

Execute the following command which create the certificates.

Client Certificate.

 

Copy the following three certificates to the client machine to the following location /etc/ssl/rsyslog/.

 

 

Server Setup.

Create the following configuration file.

Restart the server.

This will allow the changes to take effect.

Running netstat will show you that its listen on encrypted and un-encrypted ports for logging traffic.

Client Setup.

Replace the SERVER with the IP address of your rsyslog server.

Restart rsyslog on the client so that changes can take effect.

Now to test the logs are transmitted execute.

To verify that the logs are received on the encrypted port, connect to the server and run the following.

This will listen for traffic on the encrypted port. Successful results should look like this.

 

Setup a central rsyslog server Howto | Setup a central log server

This document has the instructions required to setup a centralized log server. This should be a minimum requirement for all organizations. A must have tool for intrusion prevention and detection.

Server Setup

Install rsyslog and vim text editor.

Edit the configuration file.

Ensure the configuration file has the following enabled.

Restart the service to allow the change of configuration to take effect.

The following command “netstat” will check to see which ports are open on the system and listening. Port 514 should be open and listening, waiting for logs to be shipped from the client.

If the above ports appear open, then the server configuration is operating correctly.

 

Client Setup

Let install rsyslog and vim text editor

Edit config file.

Appending the following line to the end of the configuration file. Ensure you change the IP address of the forward to the IP address of the rsyslog server configured earlier.

Restart rsyslog to allow the changes to take effect.

To test, issue the following command and tail the logs of the rsyslog server.

You should see the above quoted line appear on the servers logs.