Routing Linux Based Service Logs to SIEM with using Rsyslog

Overview


In this document, the steps of forwarding the logs of your services running on Linux
operating systems to Logsign Unified SecOps Platform with the syslog protocol will be explained.


Prerequisites

● All Logsign versions support this integration.


Qualification


Services running on the Linux operating system write their logs to a file in the system
storage.
You should find where the service logs are written from the service settings you are using.
After your rsyslog configuration, your service logs are written to a directory in the storage
area, and your logs are read with the rsyslog service and sent to siem with the syslog
protocol.


Requirements


● Firewall Access (from Log source -> Logsign Unified SecOps Platform Syslog IP -> UDP port 514)
● A user with root privileges for installation and configuration in the Source to be
logged
● For rsyslog installation, only firewall access apt permission of log source during
installation process.
Page 2
Services Used in the Configuration
● Rsyslog
Explanation: The Rsyslog service is preinstalled on most modern Linux distributions.
Configuration
1-> Access and root access to the log source is provided via ssh.

 

1.png

2.png

 

2-> Rsyslog installation, if installed, the update process is performed.
Follow the procedure below according to your current Linux distribution.
If you don't know the Linux Distribution version, you can find out by running the command
below.

 

3.png

4.png

 

Debian based Linux distributions ( Ubuntu vs );

 

5.png

In RHEL based Linux distributions (Centos, Oracle etc);

 

6.png

 

3-> You need to determine where the log file of your service whose logs are wanted to be
written is written.
Default service log directories are shared as an example below.

7.png

 

As an example, auditd logs will be taken.
/var/log/audit/audit.log -> Directory to get logs.


4-> Rsyslog configuration is provided.

 

8.png

 

After opening the file with the vi editor, we activate the edit mode by pressing the "i" key on
the keyboard

9.png

 

When we see the INSERT text seen at the bottom left as above, we copy the configuration
block below.

10.png

 

Paste the configuration block that we copied from the terminal we SSH into, into the
audit_logs_to_logsign.conf file that we opened with the vi editor.

11.png

 

 

 

Understanding Rsyslog Configuration

 

12.png

 

Log File Path : The log file must have address information.
File Tag Name : Any name to be assigned to the log file must have a tag name.
File Stat Name : Any name to be assigned to the log file must have a stat name.
SIEM Syslog IP : Logsign Unified SecOps Platform ip address to send logs should be.
Facility : It determines the channel id where the logs will be sent to siem.
Facilities are important in getting more than one service log on the same linux
source.

 

If more than one service log will be taken in the same linux source, the facilities can
be defined from local0 to local7. For example, we got the auditd logs from local1, if
we wanted to get the nginx logs from this source as well, we would add to the
rsyslog configuration as follows.

 

13.png

14.png

 

The defined facility ids will be used in the logsign resource addition section,
You can add according to these notes in siem integration by taking notes such as nginx ->
local2, audit -> local1.

 


5-> When you complete the editing process, we first save and exit by pressing the "ESC"
key, then the ":wq" keys.

 

15.png

 

6-> When we save the config file, we restart the rsyslog service and complete the operations
on the log source.

 

16.png

 

 

Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.