Linux.com

winnux

winnux

  • Linux.com Member
  • Posts: 4
  • Member Since: 25 Apr 13
  • Last Logged In: 03 Jul 13

Latest Posts

Posted by
Topic
Post Preview
Posted
  • winnux
    RE: Prevent rsyslog from writing messages from remote hosts to /var/log/messages
    I understood that was what you wanted to do. My question was, why forward from the central logging server to SIEM? Unless there is processing done to the logs before they are forwarded, there is no benefit to sending them to the central logging server first then to SIEM, barring some network connectivity / trust problem. The rules in my first reply will hopefully forward while preserving the hostname, however if you can simply forward to each host from the original server you're eliminating the need to preserve hostname, the proper hostname will show as the source on each target.
    Link to this post 03 Jul 13

    I understood that was what you wanted to do. My question was, why forward from the central logging server to SIEM? Unless there is processing done to the logs before they are forwarded, there is no benefit to sending them to the central logging server first then to SIEM, barring some network connectivity / trust problem.

    The rules in my first reply will hopefully forward while preserving the hostname, however if you can simply forward to each host from the original server you're eliminating the need to preserve hostname, the proper hostname will show as the source on each target.

  • winnux
    RE: Prevent rsyslog from writing messages from remote hosts to /var/log/messages
    If you forward from the original server to your logging server and your SIEM server, you'll preserve host. *.* @@original.host *.* @@siem.host
    Link to this post 03 Jul 13

    If you forward from the original server to your logging server and your SIEM server, you'll preserve host.

    *.* @@original.host
    *.* @@siem.host

  • winnux
    RE: Prevent rsyslog from writing messages from remote hosts to /var/log/messages
    Unless you are doing some processing on the central logging server that changes data in the logs passing logs to it first and forwarding them to SIEM offers no advantage vs. sending logs to both servers directly from each host. If I were setting this up I would likely set it up this way. If you must send them to the central logging server first and then forward them, something like the code example below *might* work. I have not tested this, it's just a best guess effort on my part to get you headed in the right direction (hopefully). [code] # forward all logs to SIEM host. Change 192.168.0.1 to the IP of your SIEM host $template SIEM,"<%PRI%>%HOSTNAME%%TIMESTAMP%%syslogtag%%msg%\"" *.* @192.168.0.1;SIEM # Log each remote host into it's own directory and then discard remote server logs: $template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log" #if rule to call RemoteHost template if ($hostname != '') then ?RemoteHost & ~ [/code]
    Link to this post 03 Jul 13

    Unless you are doing some processing on the central logging server that changes data in the logs passing logs to it first and forwarding them to SIEM offers no advantage vs. sending logs to both servers directly from each host. If I were setting this up I would likely set it up this way.

    If you must send them to the central logging server first and then forward them, something like the code example below *might* work. I have not tested this, it's just a best guess effort on my part to get you headed in the right direction (hopefully).


    # forward all logs to SIEM host. Change 192.168.0.1 to the IP of your SIEM host
    $template SIEM,"<%PRI%>%HOSTNAME%%TIMESTAMP%%syslogtag%%msg%\""
    *.* @192.168.0.1;SIEM

    # Log each remote host into it's own directory and then discard remote server logs:
    $template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"

    #if rule to call RemoteHost template
    if ($hostname != '<ServerName>') then ?RemoteHost
    & ~

  • winnux
    RE: Prevent rsyslog from writing messages from remote hosts to /var/log/messages
    I was fighting this same issue today and came up with what I believe is a solution. I run CentOS servers and my solution focuses on that distro. #1 - update to the latest version of syslog create /etc/yum.repos.d/rsyslog.repo and place the following into it [code] [rsyslog_v7] name=Adiscon CentOS-$releasever - local packages for $basearch baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch enabled=1 gpgcheck=0 gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon protect=1 [/code] Move your existing /etc/rsyslog.conf file to another directory prior to upgrade. This will allow the installer to create a new conf file for you. You can copy/paste your custom settings into the new file post upgrade. Execute the command 'yum update rsyslog' to update rsyslog. #2 The following code shuld be placed before the "*.info;mail.none;authpriv.none;cron.none /var/log/messages" entry. Be sure you replace in the example below with the name of your central logging server [code] # Log each remote host into it's own directory and then discard remote server logs: $template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log" if ($hostname != '') then ?RemoteHost & ~ [/code] From my research on this, position in the file is critical, you must capture the remote server logs, place them into the dedicated location and discard them when done prior to the *.info entry. I hope this helps. I am not guaranteeing that there will be no issues with this setup. As far as I can tell, logging to the local server is working normally and remote hosts all get their own directory and a file with the date string (properly sorting) embedded. You'll want to check out the link below to make sure you are compressing the old log files. http://wiki.rsyslog.com/index.php/DailyLogRotation
    Link to this post 25 Apr 13

    I was fighting this same issue today and came up with what I believe is a solution. I run CentOS servers and my solution focuses on that distro.

    #1 - update to the latest version of syslog
    create /etc/yum.repos.d/rsyslog.repo and place the following into it


    [rsyslog_v7]
    name=Adiscon CentOS-$releasever - local packages for $basearch
    baseurl=http://rpms.adiscon.com/v7-stable/epel-$releasever/$basearch
    enabled=1
    gpgcheck=0
    gpgkey=http://rpms.adiscon.com/RPM-GPG-KEY-Adiscon
    protect=1

    Move your existing /etc/rsyslog.conf file to another directory prior to upgrade. This will allow the installer to create a new conf file for you. You can copy/paste your custom settings into the new file post upgrade.

    Execute the command 'yum update rsyslog' to update rsyslog.

    #2
    The following code shuld be placed before the "*.info;mail.none;authpriv.none;cron.none /var/log/messages" entry. Be sure you replace <ServerName> in the example below with the name of your central logging server


    # Log each remote host into it's own directory and then discard remote server logs:
    $template RemoteHost,"/var/log/remote-hosts/%HOSTNAME%/%HOSTNAME%-%$YEAR%%$MONTH%%$DAY%.log"
    if ($hostname != '<ServerName>') then ?RemoteHost
    & ~

    From my research on this, position in the file is critical, you must capture the remote server logs, place them into the dedicated location and discard them when done prior to the *.info entry.

    I hope this helps. I am not guaranteeing that there will be no issues with this setup. As far as I can tell, logging to the local server is working normally and remote hosts all get their own directory and a file with the date string (properly sorting) embedded.

    You'll want to check out the link below to make sure you are compressing the old log files.
    http://wiki.rsyslog.com/index.php/DailyLogRotation

Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board