Setting up Rsyslog Server for Log Collection using Vagrant Boxes
My guess is that you are reading this blog post because you need to collect logs from linux OS to a central location. If that is true, I will try to make it easy and clear. According to the official documentation, rsyslog is kind of swiss army knife of logging, being able to accept inputs from a wide variety of sources, transform them, and output to the results to diverse destinations.
Rsyslog extends syslog protocol with new features like:
- RELP Protocol support
- Buffered operation support
- You can listen to TCP/UDP connections
- It can load a lot of modules
- You can discard message after one or more rules
Rsyslog provides a robust way of performing log monitoring and analysis for security functions and activities. Together, we will walk through how to collect log into a rsyslog server using ubuntu vagrant boxes.
Prerequisite: Install Vagrant on your host device — here is a good way to start with vagrant
Asset List:
Rsylog server: 192.168.33.10
Client Machine: 192.168.33.11
Task 1: Prepare the Rsyslog Server
- Get Ubuntu Bionic Vagrant Box
~# mkdir syslog-server
~# cd syslog-server
~# vagrant init ubuntu/bionic642. Assign an IP to the vagrant box
Edit the Vagrantfile in the vagrant syslog-server folder.
Remove the # symbol and assign the IP address: 192.168.33.10
3. Power up the rsyslog server
~# vagrant upTask 2: Prepare the Client Machine
- Get Ubuntu Bionic Vagrant Box
~# mkdir client-ubuntu
~# cd client-ubuntu
~# vagrant init ubuntu/bionic642. Assign an IP to the vagrant box
Edit the Vagrantfile in the vagrant syslog-server folder.
Remove the # symbol and assign the IP address: 192.168.33.11
3. Power up the rsyslog server
~# vagrant upTask 3 : Configure the Rsyslog Server
- Connect to the rsyslog server
~# cd syslog-server
~# vagrant ssh2. Verify rsyslogd is installed
~# rsyslogd -v3. Install rsyslog if not Installed
~# sudo apt install rsyslog4. Now check if the rsyslog service is enabled
~# systemctl status rsyslog5. If not working start the service then enable it
~# systemctl start rsyslog
~# systemctl enable rsyslog6. Configure the rsyslog after installation, open the config file
~# sudo vi /etc/rsyslog.confUse nano editor if you are more comfortable with that.
7. Rsyslog supports both UDP and TCP for log transportation, let’s enable this. In the config file, locate the lines below:
module(load=”imtcp”)
input(type=”imtcp” port=”514")module(load=”imudp”)
input(type=”imudp” port=”514")
Remove the # in front of the lines above.
8. Then you need to enable unix sock module and journal Module, by removing pound symbol in front of them.
module(load=”imuxsock”) # provides support for local system loggingmodule(load=”imjournal”) # provides the ability to import structured log messages from systemd journal to syslog.
9. Let’s ensure logs are arranged according to hostnames
$template RemoteMachineLogs,”/var/log/%HOSTNAME%/%PROGRAMNAME%.log”
*.* ?RemoteMachineLogs
& ~
10. Restart the rsyslog service.
~# sudo systemctl restart rsyslog11. Verify Port Accepting Connection
~# netstat -tulnp | grep “rsyslog”
12. Enable the host-based firewall on the rsyslog server to receive connection over port 514
~# sudo ufw allow 514/udp
~# sudo ufw allow 514/tcp
~# sudo ufw reloadTask 4: Configure the Client Machine
- Connect to the client machine
~# cd client-ubuntu
~# vagrant ssh2. Verify rsyslogd is installed
~# rsyslogd -v3. Install rsyslog if not Installed
~# apt install rsyslog4. Now check if the rsyslog service is enabled
~# sudo systemctl status rsyslog
5. If not working start the service then enable it
~# sudo systemctl start rsyslog
~# sudo systemctl enable rsyslog6. Configure the rsyslog after installation, open the config file
~# sudo nano /etc/rsyslog.conf7. Let’s forward the log to the syslog server.
*.* action(type=”omfwd” target=”192.168.33.10” port=”514” protocol=”tcp” action.resumeRetryCount=”100" queue.type=”linkedList” queue.size=”10000")
8. Restart the rsyslog service.
~# sudo systemctl restart rsyslog9. Open the terminal of the Rsyslog server to verify you are receiving logs already
~# sudo ls -la /var/log/
The machine is sending log already. The machine name is mime.
