Logs are very useful for administrators, but a lot of logs are cumbersome. Logging can be critical to troubleshooting when some events run incorrectly, especially on security-related issues. But if the attacker harms your host, the log will tell you that this is useful for the host; you need to send a message to the data center. Protecting logs is very important, and a central log server makes it easier to manage, analyze, and find them. In response to this, I will show you how to collect the system logs of multiple hosts into one host for management, that is, the central syslog server on Linux.
First, all centralized syslog server host should build a secure and hardened. There is nothing on the host about protecting and centralizing your logs. Second, how can you get logs from your host?
let's install a central syslog server. I will give an example of the actual standard Linux system log if using rSyslog. Ubuntu and Red Hat often use it and manage it via the file /etc/rsyslog.conf. The file contains a number of specific special system logs: some are console, some are file or other.
First of all, we need to load the appropriate TCP and UDP plug-in to support the system log. Add the following code to the head rsyslog.conf:
$ modloadimtcp
$ modloadimudp
$ In put TCP Server Run 10514
$ UDP Server Run 514
loaded modules can support both TCP and UDP port monitoring, and to specify which port to receive events, in this case, use port 514 TCP and UDP port 10514 of. You need to check the local firewall (between your host and a central syslog server's firewall)
Now we need to specify some of the rules to tell rSyslog amp input event is. If you don't add any rules, the input events will be processed according to local rules and intertwined with events from the local host. We need local processing and before the system logs to correct specified in this rule after the addition of the above section, for example:
if $ from host-ipisequal '192.168.0.2' then /var /log /192.168.0.2.log
& ~
here we say every one from the system log of 192.168.0.2 should be kept in /var/log/192.168.0.2.log file. The &~ symbol is very important because it tells rSyslog to stop processing messages. If you forget it, the message will go over the next rule and continue processing. There are other variables in this rule. For example:
if $ from host-ipstart swith 192.168.'then /var /log /192.168.log
& ~
192.168 * Here we replaced. All IP addresses starting with this are written to the /var/log/192.168.log file. You can also see some other filters.
you will need to restart the rsyslog service to activate the new configuration we do:
$ sudo servicer syslogre start
now, the host of the sender, we also need to make some changes to the file rsyslog.conf, at the top of the file, add the following line:.
* * @@ 192.168.0.1:10514
which is sent to all events, From all source code and all important levels (with *.*), pass the TCP protocol to port 10514 with IP address 192.168.0.1. You can replace this IP address with the address of your environment. To enable this configuration, you will need to restart rSyslog on the host. You can
/TLS further send your system logs via SSL. If you transfer system logs between the Internet or other networks, this is no harm, you may find a simple explanation of this.
Now, if you give a configuration management system (if you do not use this, or you can try Cfengine Puppet tool) to add this configuration, then you can use the appropriate system log to effectively configure each Host to make sure your logs will be sent to the central syslog server.