Rsyslog Integration

Description

This article is an example of Rsyslog Server integration with Swivel Secure Appliance. Any Operating System that supports Rsyslog Server can be configured with the information given. If further details on Rsyslog Server is required, please have a look at this documentation which explains Rsyslog Server fully.

Appliance Compatibility

  • AuthControl Sentry 4.0.x or higher
  • Rsyslog 5.8 or higher

For demonstration purpose, this example of integration has been done with:

Swivel Secure Appliance Operating System: CentOS 6 Swivel Secure Core Version: 4.1.2

Rsyslog Server Operating System: Debian Kernel: Linux debian 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2(2021-01-30)x86_64GNU/Linux

Sentry Syslog Standards

When logs are collected with syslog mechanism, three important things must be taken into consideration:

  • Facility level: what type of processes to monitor
  • Severity (priority) level: what type of log messages to collect
  • Host: appliance host detail

Thefacilitylevels define a way to categorize internal system processes.Some of the common standard facilities in Swivel Secure Appliance are:

  • kern: messages related to the kernel
  • user: user-level messages
  • mail: messages related to internal mail servers
  • daemon: messages related to daemons (internal servers)
  • auth: messages related to authentication (login)
  • syslog: messages related to the syslog daemon itself
  • lpr: messages related to print servers
  • news: network news subsystem
  • uucs: Unix-to-Unix copy subsystem
  • cron: messages related to scheduled processes or applications
  • authpriv: security/authentication messages
  • ftp: messages related to ftp servers
  • local0 - local7: messages defined by user (local7 is usually used by Cisco and Windows servers)

Minimum level of logging entries that will be sent to the external syslog server. Logging to a syslog server may be disabled entirely by selecting Off. These are the levels of logging:

  • Fatal
  • Error
  • Warning
  • Info
  • Off

Rsyslog Configuration in Remote Server

It’s assumed that rsyslog server is installed and running in the remote machine. By default,UDP port to setup communication is 514; TCP port has been setup to 50514.The TCP port can be changed according to the user needs.Edit /etc/rsyslog.conffile and apply the below changes.

Modules Configuration

module(load="imuxsock") # providessupport for local system logging
module(load="imklog")   # provides kernel logging support

UDP Reception Configuration

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

TCP Reception Configuration

# provides TCP syslogreception
module(load="imtcp")
input(type="imtcp" port="50514")
            $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"
            *.* ?RemInputLogs

Global Directives Configuration

Uncomment and edit or add the below lines to setup the configuration for Swivel Secure Appliance sender host(s).

# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$AllowedSender UDP, network_ip_range, [::1]/128, appliance-dns-or-hostname

After doing all changes and additions restart the rsyslog to apply changes.

systemctl restart rsyslog

Logs Folder

All logs will be placed according to the configuration of TCP syslog reception in the above setup. Logspath will be /var/log/remotelogs/192.168.1.1 for example.

Appliance Syslog Configuration

Appliance Configuration

Below steps require access to Command Line Interface. Edit etc/rsyslog.conf and follow below steps.

Uncomment linesunder UDP syslog reception:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

Add $AllowServer in default timestamp fomart line:

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$AllowedSender UDP, 127.0.0.1/32, [::1]/128, appliance-dns-or-hostname

Add in the last line of the rsyslog.conf all logging information that should be sent to Rsyslog Serveralong with Rsyslog information. If all logsare to be sent simply add the below:

*.*  @@remote-server:50514

Run below command to check on the configuration file. It should output as per the below:

rsyslogd -f /etc/rsyslog.conf -N1

The error message is due to not having a DNS setup which is not needed in this testing case.Restart rsyslog with below command:

/etc/init.d/rsyslog restart

Sentry Configuration

If the Rsyslog is to have all logs, setup logs under Logging > Syslog the below with the desired logging level:

_images/sentrysyslog.png

If the user desires to set up specific logs to be sent to Rsyslog Server please follow the next section.

Facilities Configuration

Appliance Configuration

Rsyslog can be setup to send –receivespecific logs. This setup is handled in Swivel Secure Appliance rsyslog.conf file.

Edit etc/rsyslog.conf and add to last line of the file the below for specific facilities to be sent to remote server.

cron.*  @@remote-server:50514
syslog.*  @@remote-server:50514
news.*  @@remote-server:50514
daemon.*  @@remote-server:50514
local0.*  @@remote-server:50514

Run below command to check on the configuration file:

rsyslogd -f /etc/rsyslog.conf -N1

Every modification applied to this file requires rsyslog to be restarted. Run restart command:

/etc/init.d/rsyslog restart

Sentry Configuration

Sentry has a limitation to the Syslog entries. It is not possible to setup a Host with the same name more than once. To avoid this limitation, setup as many hosts as needed in appliance hosts file and configure each facility to a different host naming. By default, etc/hosts have the below and can be used as the Host in syslog configuration:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 single.local

Syslog for cron with log level set to Info:

_images/sentrysyslog2.png

Syslog for syslog with log level set to Warning:

_images/sentrysyslog3.png

Syslog for news with log level set to Error:

_images/sentrysyslog4.png

Syslog for daemon with log level set to Fatal:

_images/sentrysyslog5.png

Syslog for local0 with log level set to Info:

_images/sentrysyslog6.png

Single Sign-On Configuration

In addition to Sentry logs, this configuration will also send SSO portal logs to the remote Rsyslog server. Configuration should be done in 2 steps:

  1. Configure logs to the desired level in General Configuration:
_images/ssosyslog.png
  1. Configure the remote server information and log facility in General Configuration:
_images/ssosyslog2.png