This article is an example of Rsyslog Server integration with Swivel Secure Appliance. Any Operating System that supports Rsyslog Server can be configured with the information given. If further details on Rsyslog Server is required, please have a look at this documentation which explains Rsyslog Server fully.
- AuthControl Sentry 4.0.x or higher
- Rsyslog 5.8 or higher
For demonstration purpose, this example of integration has been done with:
Swivel Secure Appliance Operating System: CentOS 6 Swivel Secure Core Version: 4.1.2
Rsyslog Server Operating System: Debian Kernel: Linux debian 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2(2021-01-30)x86_64GNU/Linux
Sentry Syslog Standards¶
When logs are collected with syslog mechanism, three important things must be taken into consideration:
- Facility level: what type of processes to monitor
- Severity (priority) level: what type of log messages to collect
- Host: appliance host detail
Thefacilitylevels define a way to categorize internal system processes.Some of the common standard facilities in Swivel Secure Appliance are:
- kern: messages related to the kernel
- user: user-level messages
- mail: messages related to internal mail servers
- daemon: messages related to daemons (internal servers)
- auth: messages related to authentication (login)
- syslog: messages related to the syslog daemon itself
- lpr: messages related to print servers
- news: network news subsystem
- uucs: Unix-to-Unix copy subsystem
- cron: messages related to scheduled processes or applications
- authpriv: security/authentication messages
- ftp: messages related to ftp servers
- local0 - local7: messages defined by user (local7 is usually used by Cisco and Windows servers)
Minimum level of logging entries that will be sent to the external syslog server. Logging to a syslog server may be disabled entirely by selecting Off. These are the levels of logging:
Rsyslog Configuration in Remote Server¶
It’s assumed that rsyslog server is installed and running in the remote machine. By default,UDP port to setup communication is 514; TCP port has been setup to 50514.The TCP port can be changed according to the user needs.Edit /etc/rsyslog.conffile and apply the below changes.
module(load="imuxsock") # providessupport for local system logging module(load="imklog") # provides kernel logging support
UDP Reception Configuration¶
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514")
TCP Reception Configuration¶
# provides TCP syslogreception module(load="imtcp") input(type="imtcp" port="50514") $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log" *.* ?RemInputLogs
Global Directives Configuration¶
Uncomment and edit or add the below lines to setup the configuration for Swivel Secure Appliance sender host(s).
# Use traditional timestamp format. # To enable high precision timestamps, comment out the following line. $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $AllowedSender UDP, network_ip_range, [::1]/128, appliance-dns-or-hostname
After doing all changes and additions restart the rsyslog to apply changes.
systemctl restart rsyslog
All logs will be placed according to the configuration of TCP syslog reception in the above setup. Logspath will be /var/log/remotelogs/192.168.1.1 for example.
Appliance Syslog Configuration¶
Below steps require access to Command Line Interface. Edit etc/rsyslog.conf and follow below steps.
Uncomment linesunder UDP syslog reception:
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514
Add $AllowServer in default timestamp fomart line:
# Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $AllowedSender UDP, 127.0.0.1/32, [::1]/128, appliance-dns-or-hostname
Add in the last line of the rsyslog.conf all logging information that should be sent to Rsyslog Serveralong with Rsyslog information. If all logsare to be sent simply add the below:
Run below command to check on the configuration file. It should output as per the below:
rsyslogd -f /etc/rsyslog.conf -N1
The error message is due to not having a DNS setup which is not needed in this testing case.Restart rsyslog with below command:
If the Rsyslog is to have all logs, setup logs under Logging > Syslog the below with the desired logging level:
If the user desires to set up specific logs to be sent to Rsyslog Server please follow the next section.
Rsyslog can be setup to send –receivespecific logs. This setup is handled in Swivel Secure Appliance rsyslog.conf file.
Edit etc/rsyslog.conf and add to last line of the file the below for specific facilities to be sent to remote server.
cron.* @@remote-server:50514 syslog.* @@remote-server:50514 news.* @@remote-server:50514 daemon.* @@remote-server:50514 local0.* @@remote-server:50514
Run below command to check on the configuration file:
rsyslogd -f /etc/rsyslog.conf -N1
Every modification applied to this file requires rsyslog to be restarted. Run restart command:
Sentry has a limitation to the Syslog entries. It is not possible to setup a Host with the same name more than once. To avoid this limitation, setup as many hosts as needed in appliance hosts file and configure each facility to a different host naming. By default, etc/hosts have the below and can be used as the Host in syslog configuration:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 single.local
Syslog for cron with log level set to Info:
Syslog for syslog with log level set to Warning:
Syslog for news with log level set to Error:
Syslog for daemon with log level set to Fatal:
Syslog for local0 with log level set to Info:
Single Sign-On Configuration¶
In addition to Sentry logs, this configuration will also send SSO portal logs to the remote Rsyslog server. Configuration should be done in 2 steps:
- Configure logs to the desired level in General Configuration:
- Configure the remote server information and log facility in General Configuration: