:orphan: =================== Rsyslog Integration =================== """"""""""" Description """"""""""" This article is an example of Rsyslog Server integration with Swivel Secure Appliance. Any Operating System that supports Rsyslog Server can be configured with the information given. If further details on Rsyslog Server is required, please have a look at this documentation which explains `Rsyslog Server `_ fully. """"""""""""""""""""""" Appliance Compatibility """"""""""""""""""""""" * AuthControl Sentry 4.0.x or higher * Rsyslog 5.8 or higher For demonstration purpose, this example of integration has been done with: **Swivel Secure Appliance** Operating System: CentOS 6 Swivel Secure Core Version: 4.1.2 **Rsyslog Server** Operating System: Debian Kernel: Linux debian 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2(2021-01-30)x86_64GNU/Linux """"""""""""""""""""""" Sentry Syslog Standards """"""""""""""""""""""" When logs are collected with syslog mechanism, three important things must be taken into consideration: * **Facility level**: what type of processes to monitor * **Severity (priority) level**: what type of log messages to collect * **Host**: appliance host detail Thefacilitylevels define a way to categorize internal system processes.Some of the common standard facilities in Swivel Secure Appliance are: * **kern**: messages related to the kernel * **user**: user-level messages * **mail**: messages related to internal mail servers * **daemon**: messages related to daemons (internal servers) * **auth**: messages related to authentication (login) * **syslog**: messages related to the syslog daemon itself * **lpr**: messages related to print servers * **news**: network news subsystem * **uucs**: Unix-to-Unix copy subsystem * **cron**: messages related to scheduled processes or applications * **authpriv**: security/authentication messages * **ftp**: messages related to ftp servers * **local0 - local7**: messages defined by user (local7 is usually used by Cisco and Windows servers) Minimum level of logging entries that will be sent to the external syslog server. Logging to a syslog server may be disabled entirely by selecting Off. These are the levels of logging: * **Fatal** * **Error** * **Warning** * **Info** * **Off** """""""""""""""""""""""""""""""""""""" Rsyslog Configuration in Remote Server """""""""""""""""""""""""""""""""""""" It’s assumed that rsyslog server is installed and running in the remote machine. By default,UDP port to setup communication is 514; TCP port has been setup to 50514.The TCP port can be changed according to the user needs.Edit /etc/rsyslog.conffile and apply the below changes. Modules Configuration ##################### .. code-block:: bash module(load="imuxsock") # providessupport for local system logging module(load="imklog") # provides kernel logging support UDP Reception Configuration ########################### .. code-block:: bash # provides UDP syslog reception module(load="imudp") input(type="imudp" port="514") TCP Reception Configuration ########################### .. code-block:: bash # provides TCP syslogreception module(load="imtcp") input(type="imtcp" port="50514") $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs Global Directives Configuration ############################### Uncomment and edit or add the below lines to setup the configuration for Swivel Secure Appliance sender host(s). .. code-block:: bash # Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $AllowedSender UDP, network_ip_range, [::1]/128, appliance-dns-or-hostname After doing all changes and additions restart the rsyslog to apply changes. .. code-block:: bash systemctl restart rsyslog Logs Folder ########### All logs will be placed according to the configuration of TCP syslog reception in the above setup. Logspath will be **/var/log/remotelogs/192.168.1.1** for example. """""""""""""""""""""""""""""" Appliance Syslog Configuration """""""""""""""""""""""""""""" Appliance Configuration ####################### Below steps require access to Command Line Interface. Edit *etc/rsyslog.conf* and follow below steps. Uncomment linesunder UDP syslog reception: .. code-block:: bash # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 Add **$AllowServer** in default timestamp fomart line: .. code-block:: bash # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $AllowedSender UDP, 127.0.0.1/32, [::1]/128, appliance-dns-or-hostname Add in the last line of the *rsyslog.conf* all logging information that should be sent to Rsyslog Serveralong with Rsyslog information. If all logsare to be sent simply add the below: .. code-block:: bash *.* @@remote-server:50514 Run below command to check on the configuration file. It should output as per the below: .. code-block:: bash rsyslogd -f /etc/rsyslog.conf -N1 The error message is due to not having a DNS setup which is not needed in this testing case.Restart *rsyslog* with below command: .. code-block:: bash /etc/init.d/rsyslog restart Sentry Configuration #################### If the Rsyslog is to have all logs, setup logs under Logging > Syslog the below with the desired logging level: .. image:: images/Integration/Rsyslog/sentrysyslog.png :align: center If the user desires to set up specific logs to be sent to Rsyslog Server please follow the next section. """""""""""""""""""""""" Facilities Configuration """""""""""""""""""""""" Appliance Configuration ####################### Rsyslog can be setup to send –receivespecific logs. This setup is handled in Swivel Secure Appliance *rsyslog.conf* file. Edit *etc/rsyslog.conf* and add to last line of the file the below for specific facilities to be sent to remote server. .. code-block:: bash cron.* @@remote-server:50514 syslog.* @@remote-server:50514 news.* @@remote-server:50514 daemon.* @@remote-server:50514 local0.* @@remote-server:50514 Run below command to check on the configuration file: .. code-block:: bash rsyslogd -f /etc/rsyslog.conf -N1 Every modification applied to this file requires *rsyslog* to be restarted. Run restart command: .. code-block:: bash /etc/init.d/rsyslog restart Sentry Configuration #################### Sentry has a limitation to the Syslog entries. It is not possible to setup a **Host** with the same name more than once. To avoid this limitation, setup as many hosts as needed in appliance *hosts* file and configure each facility to a different host naming. By default, *etc/hosts* have the below and can be used as the *Host* in syslog configuration: .. code-block:: bash 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 single.local Syslog for **cron** with log level set to **Info**: .. image:: images/Integration/Rsyslog/sentrysyslog2.png :align: center Syslog for **syslog** with log level set to **Warning**: .. image:: images/Integration/Rsyslog/sentrysyslog3.png :align: center Syslog for **news** with log level set to **Error**: .. image:: images/Integration/Rsyslog/sentrysyslog4.png :align: center Syslog for **daemon** with log level set to **Fatal**: .. image:: images/Integration/Rsyslog/sentrysyslog5.png :align: center Syslog for **local0** with log level set to **Info**: .. image:: images/Integration/Rsyslog/sentrysyslog6.png :align: center Single Sign-On Configuration ############################# In addition to Sentry logs, this configuration will also send SSO portal logs to the remote Rsyslog server. Configuration should be done in 2 steps: 1. Configure logs to the desired level in General Configuration: .. image:: images/Integration/Rsyslog/ssosyslog.png :align: center 2. Configure the remote server information and log facility in General Configuration: .. image:: images/Integration/Rsyslog/ssosyslog2.png :align: center