== Rsyslog Lab == In this lab, you will setup rsyslog server for syslog aggregation. '''Requirements:''' Participants are requested to have a computer with Windows 8/10/11 (8GB RAM, 25GB free disk space) with Virtualbox (version 6 or higher) hypervisor and PuTTY installed.[[BR]] In Virtualbox, 'Extension pack' (according to your Virtualbox version) should be installed. You may use other previous VM as a rsyslog client. '''Virtual Machine (VM) Setup''' Download VM from the following Link. ​https://docs.learn.ac.lk/index.php/s/YcojJ2544b40Zw4 Import the VM to Virtualbox.[[BR]] Username and Password: docker[[BR]] May have to create Virtualbox Host-Only Network Adapter[[BR]] {{{ File > Host Network Manager > Create }}} Test internet connectivity.[[BR]] Login to the VM as root user using PuTTY. '''Setup Network''' Connect all VMs to 'Internal Network'. {{{ Settings > Network > Adpater 3 }}} [[Image(internal net.png)]] Find the 'Internal Network' network interface. {{{ ip add }}} Edit network configurations of VMs according to your setups. {{{ vi /etc/netplan/00-installer-config.yaml }}} {{{ enp0s9: addresses: [10.1.1.1/24] :wq netplan apply }}} ''Repeat the above steps in each machine accordingly and test the network connectivity.'' '''Rsyslog Server Setup''' Uncomment the following lines in /etc/rsyslog.conf. {{{ module(load="imudp") input(type="imudp" port="514") module(load="imtcp") input(type="imtcp" port="514") }}} Add the following lines to /etc/rsyslog.conf after the above last line. 192.168.56.0/24 is the rsyslog clients’ network. Replace it as needed. {{{ AllowedSender TCP, 127.0.0.1, 192.168.56.0/24 $template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?remote-incoming-logs & ~ }}} Restart rsyslog service {{{ systemctl restart rsyslog }}} '''In Rsyslog Server Clients''' Append the following to /etc/rsyslog.conf. Replace 192.168.56.10 with the log server IP address. {{{ $PreserveFQDN on *.* @192.168.56.10:514 $ActionQueueFileName queue $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on $ActionQueueType LinkedList $ActionResumeRetryCount -1 }}} Restart rsyslog service {{{ systemctl restart rsyslog }}} '''In Rsyslog Server''' Verify logs {{{ ls -al /var/log/ }}} The output should be similar to the following. {{{ 05efi.log 50mounted-tests.log cron.log logrotate.log mysqld.log rsyncd.log su.log systemd-sysctl.log 10freedos.log 83haiku.log CRON.log lvm.log networkd-dispatcher.log rsyslogd.log systemd.log systemd-timesyncd.log 10qnx.log accounts-daemon.log dbus-daemon.log lxd.activate.log os-prober.log sh.log systemd-logind.log systemd-udevd.log 20microsoft.log apparmor.systemd.log fwupdmgr.log macosx-prober.log PackageKit.log snapd.log systemd-networkd.log udevadm.log 30utility.log apport.log grub-common.log mariadb-server-10.3.postinst.log passwd.log sshd.log systemd-networkd-wait-online.log upowerd.log 50-motd-news.log cloud-init.log kernel.log multipathd.log polkitd.log sudo.log systemd-resolved.log }}}