Routing Linux Based Service Logs to SIEM with using Rsyslog

Overview


In this document, the steps of forwarding the logs of your services running on Linux
operating systems to Logsign Unified SecOps Platform with the syslog protocol will be explained.


Prerequisites

● All Logsign versions support this integration.


Qualification


Services running on the Linux operating system write their logs to a file in the system
storage.
You should find where the service logs are written from the service settings you are using.
After your rsyslog configuration, your service logs are written to a directory in the storage
area, and your logs are read with the rsyslog service and sent to siem with the syslog
protocol.


Requirements


● Firewall Access (from Log source -> Logsign Unified SecOps Platform Syslog IP -> UDP port 514)
● A user with root privileges for installation and configuration in the Source to be
logged
● For rsyslog installation, only firewall access apt permission of log source during
installation process.
Page 2
Services Used in the Configuration
● Rsyslog
Explanation: The Rsyslog service is preinstalled on most modern Linux distributions.
Configuration
1-> Access and root access to the log source is provided via ssh.

 

1.png

2.png

 

2-> Rsyslog installation, if installed, the update process is performed.
Follow the procedure below according to your current Linux distribution.
If you don't know the Linux Distribution version, you can find out by running the command
below.

Bash$ :  hostnamectl

4.png

 

Debian based Linux distributions ( Ubuntu vs );

Bash$ : apt update && apt install rsyslog

In RHEL based Linux distributions (Centos, Oracle etc);

Bash$ : yum update && yum install rsyslog

 

3-> You need to determine where the log file of your service whose logs are wanted to be
written is written.
Default service log directories are shared as an example below.

/var/log/messages : General message and system related stuff
/var/log/auth.log : Authenication logs
/var/log/kern.log : Kernel logs
/var/log/cron.log : Crond logs (cron job)
/var/log/maillog : Mail server logs
/var/log/httpd/access_log : Apache access logs
/var/log/httpd/error : Apache error logs
/var/log/lighttpd/access_log : Lighttpd access logs
/var/log/lighttpd/error_log : Lighttpd error logs
/var/log/nginx/access.log : Nginx access logs
/var/log/nginx/error.log : Nginx error logs
/var/log/apt/ : Apt/apt-get command history and logs directory
/var/log/yum.log : yum command logs
/var/log/boot.log : System boot log
/var/log/mysqld.log : MySQL database server log file
/var/log/secure or /var/log/auth.log : Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log or /var/log/dnf.log: Yum/Dnf command log file.
/var/log/audit/audit.log : Auditd - Linux audit log file.

 

As an example, auditd logs will be taken.
/var/log/audit/audit.log -> Directory to get logs.


4-> Rsyslog configuration is provided.

Bash$ :  vi /etc/rsyslog.d/audit_logs_to_logsign.conf

 

After opening the file with the vi editor, we activate the edit mode by pressing the "i" key on
the keyboard

9.png

 

When we see the INSERT text seen at the bottom left as above, we copy the configuration
block below.

########## Audit Logging
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile stat-audit-log
$InputFileSeverity debug
$InputFileFacility local1
$InputRunFileMonitor

#### Log Forwarding Settings
local1.debug @10.10.11.40:514

 

Paste the configuration block that we copied from the terminal we SSH into, into the
audit_logs_to_logsign.conf file that we opened with the vi editor.

 

 

 

Understanding Rsyslog Configuration

 

 

Log File Path : The log file must have address information.
File Tag Name : Any name to be assigned to the log file must have a tag name.
File Stat Name : Any name to be assigned to the log file must have a stat name.
SIEM Syslog IP : Logsign Unified SecOps Platform ip address to send logs should be.
Facility : It determines the channel id where the logs will be sent to siem.
Facilities are important in getting more than one service log on the same linux
source.

 

If more than one service log will be taken in the same linux source, the facilities can
be defined from local0 to local7. For example, we got the auditd logs from local1, if
we wanted to get the nginx logs from this source as well, we would add to the
rsyslog configuration as follows.

 

########## Audit Logging
$ModLoad imfile
$InputFileName /var/log/audit/audit.log
$InputFileTag tag_audit_log:
$InputFileStateFile stat-audit-log
$InputFileSeverity debug
$InputFileFacility local1
$InputRunFileMonitor

########## Nginx Access Logging
$ModLoad imfile
$InputFileName /var/log/nginx/access.log
$InputFileTag tag_nginx_access_log:
$InputFileStateFile stat-nginx_access-log
$InputFileSeverity debug
$InputFileFacility local2
$InputRunFileMonitor

#### Log Forwarding Settings
local1.debug;local2.debug @10.10.11.40:514

 

 

The defined facility ids will be used in the logsign resource addition section,
You can add according to these notes in siem integration by taking notes such as nginx ->
local2, audit -> local1.

 


5-> When you complete the editing process, we first save and exit by pressing the "ESC"
key, then the ":wq" keys.

 

15.png

 

6-> When we save the config file, we restart the rsyslog service and complete the operations
on the log source.

 

Debian based Linux servers ( Ubuntu etc );

Bash$ : service rsyslog restart

RHEL based Linux Linux servers (Centos, Oracle etc) ;

Bash$ : systemctl restart rsyslog

 

 

Was this article helpful?
2 out of 2 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.