Differences

This shows you the differences between two versions of the page.

--- technical:remote_syslog_setup [2025/06/11 04:28] – super_stunder
+++ technical:remote_syslog_setup [2025/06/11 04:45] (current) – [Going against the Linux Gods] super_stunder
@@ Line 90: / Line 90: @@
 Here is a my /etc/rsyslog.conf file from the log servers.  This prevents FW logs from showing up in the kernel log and sends them to their own log file (easier to work with)
 <codeprism title=rsyslog.conf el=true hl=52-62>
 # /etc/rsyslog.conf configuration file for rsyslog
@@ Line 153: / Line 151: @@
 :msg, contains, "FIREWALL_LOG:" stop
-# Send all other messages to the journald socket
+# Send all other messages to the journald socket - not sure this is needed I am doing it all in syslog now might remove later.
 *.* action(type="omuxsock" Socket="/run/systemd/journal/syslog")
@@ Line 175: / Line 173: @@
 *.emerg				:omusrmsg:*
 </codeprism>
@@ Line 222: / Line 219: @@
 </code>
-Here's my /etc/rsyslog.conf on the logger servers.
+Once you have rsyslog configured and logging disabled going to journald you need to restart both logging services.  Then you should start seeing firewall logs (fw.log) in your /var/log/ directory.
+<cli>
+systemctl restart systemd-journald.service
+systemctl restart rsyslog.service
+</cli>
 Alright I have the basics running now but need to address a couple of things.
+=== The Syslog Server - syslog01 ===
+FIXME
+Now you should see both servers "logger02 and logger01" in the log file on your syslog server.
+<file>
+-06-11T04:32:24+00:00 logger02 kernel: [514514.807037] FIREWALL_LOG: DROP IN=eth0 OUT= MAC=62:4b:80:04:8f:5d:fe:00:00:00:01:01:08:00 SRC=5.188.206.54 DST=209.38.71.201 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=22090 PROTO=TCP SPT=8080 DPT=3344 WINDOW=1024 RES=0x00 SYN URGP=0
+-06-11T04:32:24+00:00 logger01 kernel: [ 3309.873056] FIREWALL_LOG: DROP IN=eth0 OUT= MAC=f6:5a:cb:13:e6:33:fe:00:00:00:01:01:08:00 SRC=79.124.8.112 DST=137.184.122.230 LEN=40 TOS=0x00 PREC=0x20 TTL=242 ID=54321 PROTO=TCP SPT=41609 DPT=34567 WINDOW=65535 RES=0x00 SYN URGP=0
+</file>
   - <del>We are logging a ton of traffic like all of my SSH connectivity.  I need to tune this down and get into some rate limiting or things will get messy really quick.</del> **DONE**
   - Even though I have loaded RSYSLOG all logs are still going to the systemd logs.  I want to keep the system logs pointed to systemd (let it do its thing) and have all of the firewalls logs sent to /var/log for text based processing. :!: I thought this was going to be an option, turns out log flexibility has gone away now that the world of Linux has push to systemd
 FIXME
@@ Line 240: / Line 252: @@
 By implementing this iptables policy, a firewall that allows SSH on port 22, denies all other inbound traffic, and logs both accepted and denied packets with the desired prefix can be created.
+[[:about|CONTACT ME:]] if you think I missed something, need to update anything, or you just have questions. Follow the contact rules or spam filters will get you.