Wednesday, November 18, 2015

Setting up a central syslog archive

Working in a large'ish environment, things will occasionally break, then leave you trying to recover the pieces. One the of the key fixes for this is to setup a central logging server so that you can see logs from all of your network devices at a glance and easily correlate between events.

I also recently have been looking into the security needs at my environment. One of the top items suggested to have is a logging archive - that is, an archive of all the logs from critical devices for up to 1 year. These two items are close enough together, that we should be able to easily solve both with 1 solution.

When researching for a solution, there were tons available online, and some as online services, but they all seemed more complex than what I was looking for. I was simply looking for a basic log management solution, maybe more in the future, but that is all for now.

I decided to use a RedHat 7.1 server running rSyslog as the foundation for my solution. I chose RedHat because it is used extensivly in my organization and someone else could easily take over it if I am not available, and rSyslog because it came with RHEL and had good reviews.

Once RHEL was installed, the configuration was fairly simple;
I first started off by adding a second disk for storing of the syslog messages. This allows me to easily segment the system from the messages, and make sure that one doesnt impact the other. I decided to store my logs in /var/log/syslog
mkdir /var/log/syslog
fdisk /dev/sdb
mkfs -t xfs /dev/sdb1
vi /etc/fstab
mount -a
df -h

Next, was to open the firewall to receive the syslog messages
firewall-cmd --zone=public --add-port=514/udp --permanent
firewall-cmd --zone=public --add-port=514/tcp --permanent
firewall-cmd --reload
iptables-save

Now that the system can receive syslog messages, we need to configure rSyslog to listen for messages. To do this, we edit the rsyslog.conf file and uncomment the following lines to listen on both TCP and UDP ports 514
vi /etc/rsyslog.conf
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
service rsyslog restart

Once you are receiving syslog files, the next major hurdle is to separate the logs into separate files. The goal is to have a separate log file for each device so that you can view the logs for a router or switch without having to weed through messages from other devices. To accomplish this, we edit the rsyslog.conf file as shown in  http://www.rsyslog.com/storing-messages-from-a-remote-system-into-a-specific-file/.
vi /etc/rsyslog.conf
$template PerHostLog,"/var/log/syslog/%HOSTNAME%.log"
if $fromhost-ip startswith '10.' then -?PerHostLog
& STOP
service rsyslog restart

Lastly, is to configure LogRotate to manage the logs on the system.
vi /etc/logrotate.d/syslog
/var/log/syslog/*.log
{
copytruncate
rotate 365
daily
missingok
dateext
notifempty
delaycompress
create 664 root root
compress
maxage 366
sharedscripts
lastaction
/bin/systemctl restart  rsyslog.service
endscript
}



This should keep a years worth of logs in one place for easy review. Next, my goal is to send Windows event logs to this server, and use this system as a feed for a SIEM or ELK solution.

No comments: