Setting up a multi-tiered log infrastructure Part 8 -- Rsyslog Setup

Linux, Logging, Security, Sys Admin

Setup for Logging

Setup rsyslog node

Install/upgrade to the latest rsyslog

yum update rsyslog

Create an rsyslog spool directory (this will be needed later)

mkdir /var/lib/rsyslog

Setup Note: A custom rsyslog.conf is available for the CLR node that allows receiving logs on tcp port 514 by default. Copy the content from the appendixes into the appropriate files.

Path: /etc/rsyslog.conf rsyslog.conf for CLR server

Edit the rsyslog config

vi /etc/rsyslog.conf

Uncomment the lines for the action and change server.domain.tld to the name of your master node (don’t do this until you are ready to ship logs)

#action(type="omfwd"
# target="server.domain.tld"
# port="10514"
# protocol="tcp"
# queue.filename="wait_queue"
# queue.size="1000000"
# queue.type="LinkedList"
# )

Allow rsyslog to use port 10514 for outbound communication

semanage port -a -t syslogd_port_t -p tcp 10514

Setup Note: There are two possible build options.

  • Option 1 build a single server that handles log reception and storage. This is perfectly acceptable if losing a few logs during maintenance is okay.
  • Option 2 utilizes an HA cluster for aggregating the logs with a third rsyslog server.

Option 1: Edit settings to allow incoming udp and tcp

Uncomment #module(load=“imudp”)

Uncomment #input(type=“imudp” port=“514”)

Option 2: Settings to edit

Nothing to do if using the proper config

Restart the rsyslog service

systemctl restart rsyslog.service

Setup Note: rsyslog offers many input options, which are too extensive to cover in depth. It is assumed that endpoint devices will be using either tcp or udp for syslog services.

Configure firewalld rules

Now that the config file is edited, let’s make some firewall rule changes. If for some reason you aren’t using a firewall then you can skip this.

Configure a default zone with firewalld (The default zone is assumed to already be set as “Internal”)

Create new service files for our rsyslog node, one for tcp and one for udp

vi /etc/firewalld/services/rsyslog-tcp.xml

Use this as the contents for rsyslog-tcp.xml


  
    rsyslog-tcp
    rsyslog server access for default tcp port.

Edit /etc/firewalld/services/rsyslog-udp.xml

vi /etc/firewalld/services/rsyslog-udp.xml

Insert this text


  
    rsyslog-udp
    rsyslog server access for default udp port.

Permanently create selinux context labels

  • semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/rsyslog-tcp.xml
  • semanage fcontext -a -t firewalld_etc_rw_t -s system_u /etc/firewalld/services/rsyslog-udp.xml

Apply the new selinux labels

  • restorecon -vF /etc/firewalld/services/rsyslog-tcp.xml
  • restorecon -vF /etc/firewalld/services/rsyslog-udp.xml

Option 1: Setup firewall rules to allow tcp and udp connections from any host

Add services (or ports) to allowed rules

  • firewall-cmd --permanent --zone=internal --add-service=rsyslog-tcp
  • firewall-cmd --permanent --zone=internal --add-service=rsyslog-udp

You can just define ports if you like

  • firewall-cmd --zone=internal --add-port=514/tcp
  • firewall-cmd --zone=internal --add-port=514/udp

Option 2: Setup firewall rules to allow tcp connections from log aggregators

Add rich rules to allow tcp connections from aggregator nodes.

Setup Note: You must run this command two times using the individual IPS of the log aggregator servers

firewall-cmd --zone=internal --add-rich-rule="rule family="ipv4" source address="xxx.xxx.xxx.xxx/32" service name="rsyslog-tcp" accept" --permanent

Reload the current firewall config

firewall-cmd --reload

Check the interface and verify the services

firewall-cmd --zone=internal --list-services