Overview
In this document, the steps of forwarding the logs of your services running on Linux
operating systems to Logsign Siem with the syslog protocol will be explained.
Prerequisites
● All Logsign versions support this integration.
Qualification
Services running on the Linux operating system write their logs to a file in the system
storage.
You should find where the service logs are written from the service settings you are using.
After your rsyslog configuration, your service logs are written to a directory in the storage
area, and your logs are read with the rsyslog service and sent to siem with the syslog
protocol.
Requirements
● Firewall Access (from Log source -> Logsign Siem Syslog IP -> UDP port 514)
● A user with root privileges for installation and configuration in the Source to be
logged
● For rsyslog installation, only firewall access apt permission of log source during
installation process.
Page 2
Services Used in the Configuration
● Rsyslog
Explanation: The Rsyslog service is preinstalled on most modern Linux distributions.
Configuration
1-> Access and root access to the log source is provided via ssh.
2-> Rsyslog installation, if installed, the update process is performed.
Follow the procedure below according to your current Linux distribution.
If you don't know the Linux Distribution version, you can find out by running the command
below.
Debian based Linux distributions ( Ubuntu vs );
In RHEL based Linux distributions (Centos, Oracle etc);
3-> You need to determine where the log file of your service whose logs are wanted to be
written is written.
Default service log directories are shared as an example below.
As an example, auditd logs will be taken.
/var/log/audit/audit.log -> Directory to get logs.
4-> Rsyslog configuration is provided.
After opening the file with the vi editor, we activate the edit mode by pressing the "i" key on
the keyboard
When we see the INSERT text seen at the bottom left as above, we copy the configuration
block below.
Paste the configuration block that we copied from the terminal we SSH into, into the
audit_logs_to_logsign.conf file that we opened with the vi editor.
Understanding Rsyslog Configuration
Log File Path : The log file must have address information.
File Tag Name : Any name to be assigned to the log file must have a tag name.
File Stat Name : Any name to be assigned to the log file must have a stat name.
SIEM Syslog IP : Logsign Siem ip address to send logs should be.
Facility : It determines the channel id where the logs will be sent to siem.
Facilities are important in getting more than one service log on the same linux
source.
If more than one service log will be taken in the same linux source, the facilities can
be defined from local0 to local7. For example, we got the auditd logs from local1, if
we wanted to get the nginx logs from this source as well, we would add to the
rsyslog configuration as follows.
The defined facility ids will be used in the logsign resource addition section,
You can add according to these notes in siem integration by taking notes such as nginx ->
local2, audit -> local1.
5-> When you complete the editing process, we first save and exit by pressing the "ESC"
key, then the ":wq" keys.
6-> When we save the config file, we restart the rsyslog service and complete the operations
on the log source.
