technical:remote_syslog_setup

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
technical:remote_syslog_setup [2025/06/11 04:23] – updating syslog configs and other stuff super_stundertechnical:remote_syslog_setup [2025/06/11 04:45] (current) – [Going against the Linux Gods] super_stunder
Line 90: Line 90:
  
 Here is a my /etc/rsyslog.conf file from the log servers.  This prevents FW logs from showing up in the kernel log and sends them to their own log file (easier to work with) Here is a my /etc/rsyslog.conf file from the log servers.  This prevents FW logs from showing up in the kernel log and sends them to their own log file (easier to work with)
- +<codeprism title=rsyslog.conf el=true hl=52-62>
-<fileprism title=rsyslog.conf el=true hl=52-62 cmd>+
 # /etc/rsyslog.conf configuration file for rsyslog # /etc/rsyslog.conf configuration file for rsyslog
 # #
Line 146: Line 145:
 :msg, contains, "FIREWALL_LOG:" /var/log/fw.log :msg, contains, "FIREWALL_LOG:" /var/log/fw.log
  
-# This will forward all of the Firewall Logs to the syslog01 server over UDP 514+# This will forward all of the Firewall Logs to the syslog01 server from /etc/hosts over UDP 514
 :msg, contains, "FIREWALL_LOG:" @syslog01:514 :msg, contains, "FIREWALL_LOG:" @syslog01:514
  
Line 152: Line 151:
 :msg, contains, "FIREWALL_LOG:" stop :msg, contains, "FIREWALL_LOG:" stop
  
-# Send all other messages to the journald socket+# Send all other messages to the journald socket - not sure this is needed I am doing it all in syslog now might remove later.
 *.* action(type="omuxsock" Socket="/run/systemd/journal/syslog") *.* action(type="omuxsock" Socket="/run/systemd/journal/syslog")
  
Line 173: Line 172:
 # #
 *.emerg :omusrmsg:* *.emerg :omusrmsg:*
-</fileprism>+</codeprism>
  
  
Line 182: Line 181:
 </cli> </cli>
  
-<code arm [enable_line_numbers="true"] [highlight_lines_extra="34"]>+<code title=journald.conf el=true hl=34>
 # Use 'systemd-analyze cat-config systemd/journald.conf' to display the full config. # Use 'systemd-analyze cat-config systemd/journald.conf' to display the full config.
 # #
Line 220: Line 219:
 </code> </code>
  
-Here's my /etc/rsyslog.conf on the logger servers+Once you have rsyslog configured and logging disabled going to journald you need to restart both logging services.  Then you should start seeing firewall logs (fw.log) in your /var/log/ directory. 
 + 
 +<cli> 
 +systemctl restart systemd-journald.service 
 +systemctl restart rsyslog.service 
 +</cli> 
 + 
  
  
 Alright I have the basics running now but need to address a couple of things.   Alright I have the basics running now but need to address a couple of things.  
 +
 +=== The Syslog Server - syslog01 ===
 +FIXME
 +
 +Now you should see both servers "logger02 and logger01" in the log file on your syslog server. 
 +<file>
 +2025-06-11T04:32:24+00:00 logger02 kernel: [514514.807037] FIREWALL_LOG: DROP IN=eth0 OUT= MAC=62:4b:80:04:8f:5d:fe:00:00:00:01:01:08:00 SRC=5.188.206.54 DST=209.38.71.201 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=22090 PROTO=TCP SPT=8080 DPT=3344 WINDOW=1024 RES=0x00 SYN URGP=0 
 +2025-06-11T04:32:24+00:00 logger01 kernel: [ 3309.873056] FIREWALL_LOG: DROP IN=eth0 OUT= MAC=f6:5a:cb:13:e6:33:fe:00:00:00:01:01:08:00 SRC=79.124.8.112 DST=137.184.122.230 LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=54321 PROTO=TCP SPT=41609 DPT=34567 WINDOW=65535 RES=0x00 SYN URGP=0
 +</file>
  
   - <del>We are logging a ton of traffic like all of my SSH connectivity.  I need to tune this down and get into some rate limiting or things will get messy really quick.</del> **DONE**   - <del>We are logging a ton of traffic like all of my SSH connectivity.  I need to tune this down and get into some rate limiting or things will get messy really quick.</del> **DONE**
   - Even though I have loaded RSYSLOG all logs are still going to the systemd logs.  I want to keep the system logs pointed to systemd (let it do its thing) and have all of the firewalls logs sent to /var/log for text based processing. :!: I thought this was going to be an option, turns out log flexibility has gone away now that the world of Linux has push to systemd   - Even though I have loaded RSYSLOG all logs are still going to the systemd logs.  I want to keep the system logs pointed to systemd (let it do its thing) and have all of the firewalls logs sent to /var/log for text based processing. :!: I thought this was going to be an option, turns out log flexibility has gone away now that the world of Linux has push to systemd
- 
  
 FIXME FIXME
Line 238: Line 252:
 By implementing this iptables policy, a firewall that allows SSH on port 22, denies all other inbound traffic, and logs both accepted and denied packets with the desired prefix can be created. By implementing this iptables policy, a firewall that allows SSH on port 22, denies all other inbound traffic, and logs both accepted and denied packets with the desired prefix can be created.
  
- +[[:about|CONTACT ME:]] if you think I missed something, need to update anything, or you just have questions. Follow the contact rules or spam filters will get you. 
    
  
    
  • technical/remote_syslog_setup.1749615783.txt.gz
  • Last modified: 2025/06/11 04:23
  • by super_stunder