Csle2022/Agenda/rSyslog – Learn Workshops

wiki:Csle2022/Agenda/rSyslog

Context Navigation

Rsyslog Lab

In this lab, you will setup rsyslog server for syslog aggregation.

Requirements:

Participants are requested to have a computer with Windows 8/10/11 (8GB RAM, 25GB free disk space) with Virtualbox (version 6 or higher) hypervisor and PuTTY installed.

In Virtualbox, 'Extension pack' (according to your Virtualbox version) should be installed.

You may use other previous VM as a rsyslog client.

Virtual Machine (VM) Setup

Download VM from the following Link.

https://docs.learn.ac.lk/index.php/s/YcojJ2544b40Zw4

Import the VM to Virtualbox.

Username and Password: docker

May have to create Virtualbox Host-Only Network Adapter

File > Host Network Manager > Create

Test internet connectivity.

Setup Network

Connect all VMs to 'Internal Network'.

Settings > Network > Adpater 3

Find the 'Internal Network' network interface.

ip add

Edit network configurations of VMs according to your setups.

vi /etc/netplan/00-installer-config.yaml

 enp0s9:
   addresses: [10.1.1.1/24]
:wq
netplan apply

Repeat the above steps in each machine accordingly and test the network connectivity.

Rsyslog Server Setup

Uncomment the following lines in /etc/rsyslog.conf.

module(load="imudp")
input(type="imudp" port="514")
module(load="imtcp")
input(type="imtcp" port="514")

Add the following lines to /etc/rsyslog.conf after the above last line. 192.168.56.0/24 is the rsyslog clients’ network. Replace it as needed.

AllowedSender TCP, 127.0.0.1, 192.168.56.0/24
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~

Restart rsyslog service

systemctl restart rsyslog

In Rsyslog Server Clients

Append the following to /etc/rsyslog.conf. Replace 192.168.56.10 with the log server IP address.

$PreserveFQDN on
*.* @192.168.56.10:514
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Restart rsyslog service

systemctl restart rsyslog

In Rsyslog Server

Verify logs

ls -al /var/log/<rsyslog client name>

The output should be similar to the following.

05efi.log         50mounted-tests.log   cron.log         logrotate.log                     mysqld.log               rsyncd.log    su.log                            systemd-sysctl.log
10freedos.log     83haiku.log           CRON.log         lvm.log                           networkd-dispatcher.log  rsyslogd.log  systemd.log                       systemd-timesyncd.log
10qnx.log         accounts-daemon.log   dbus-daemon.log  lxd.activate.log                  os-prober.log            sh.log        systemd-logind.log                systemd-udevd.log
20microsoft.log   apparmor.systemd.log  fwupdmgr.log     macosx-prober.log                 PackageKit.log           snapd.log     systemd-networkd.log              udevadm.log
30utility.log     apport.log            grub-common.log  mariadb-server-10.3.postinst.log  passwd.log               sshd.log      systemd-networkd-wait-online.log  upowerd.log
50-motd-news.log  cloud-init.log        kernel.log       multipathd.log                    polkitd.log              sudo.log      systemd-resolved.log

Last modified 17 months ago Last modified on Nov 29, 2022, 8:15:40 AM

Attachments (1)

internal net.png (31.0 KB ) - added by dushmantha 18 months ago.

Download all attachments as: .zip

Note: See TracWiki for help on using the wiki.

Download in other formats:

Plain Text