Articles in this section

See more

How to: setup syslog receiver that logs locally and forwards to destination

Avatar
Nadav Lavy
  • Updated
Follow

In certain situations one needs to inspect the output of CloudConnectors in a manner that does not interrupt its normal operation of sending the logs to a (remote) syslog destination.

We will use rsyslog, a syslog service that is installed by default on many Linux distributions.

The setup will output to a local file at /var/log/sk4.log, and set up a local syslog listener at TCP on <machine private ip>:5514

Once the SIEM on CloudConnectors is configured to send there, it'll both persist the events locally in this file AND forward them to an external SIEM destination.

Setup 

  1. Save the below script into a local file, e.g. setup.sh
    #!/usr/bin/env bash

    # setup rsyslog rule to split to both local file and to forward to another TCP destination

    while getopts "p:s:h" opt; do
    case $opt in
    h) HELPONLY=true
    ;;
    p) FWDPORT="$OPTARG"
    ;;
    s) FWDIP="$OPTARG"
    ;;
    \?) echo "Invalid option -$OPTARG" >&2
    ;;
    esac
    done

    LOCAL_TARGET_FILE=/var/log/sk4.log

    print_help(){
    echo "usage: sudo ./setup.sh -s [IP to forward messages to. mandatory] -p [port to forward messages to]"
    echo "locally messages will be logged to $LOCAL_TARGET_FILE"
    }

    if [[ ${HELPONLY} == true ]]; then
    print_help
    exit 0;
    fi

    if [[ -z "$FWDIP" ]]; then
    echo "Target IP was not provided via -s flag. Aborting, here's the help:"
    print_help
    exit 1;
    fi

    if [[ -z "$FWDPORT" ]]; then
    echo "Target port was not provided via -p flag. Aborting, here's the help:"
    print_help
    exit 1;
    fi


    cat <<EOT > /etc/rsyslog.d/20-sk4-local-and-fwd.conf
    # Load Modules
    module(load="imtcp")
    module(load="omfwd")

    ruleset(name="sk4localandsplit"){
    # log locally
    action(type="omfile"
    File="/var/log/sk4.log")
    # forward to somewhere else
    action(type="omfwd"
    Target="$FWDIP"
    Port="$FWDPORT"
    Protocol="tcp")
    # stop propagating this message
    stop
    }

    input(type="imtcp" port="5514" ruleset="sk4localandsplit")
    EOT


    # ensure proper permissions to local file
    touch $LOCAL_TARGET_FILE
    chown syslog:syslog $LOCAL_TARGET_FILE
    chmod 644 $LOCAL_TARGET_FILE

    # apply by restarting rsyslog
    systemctl restart rsyslog


     

  2. change make it executable 
    chmod +x setup.sh
  3. Run it with sudo, provide the target IP and port of the syslog receiver to which you'd like to forward the messages to, e.g.
    sudo ./setup.sh -s 1.2.3.4 -p 1514
  4. Find the private IP of the host, so to configure CloudConnector SIEM integration to send to, by inspecting the output of ifconfig command
  5. Setup SIEM Integration to send to this local IP, on port 5514 - guide

DONE!

 

Related articles

Comments

0 comments

Please sign in to leave a comment.