Rsyslog: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
(Created page with "Category:Syslog") |
No edit summary |
||
| Line 1: | Line 1: | ||
[[Category:Syslog]] | [[Category:Syslog]] | ||
==Logging via TLS== | |||
===Server=== | |||
/etc/rsyslog.d/syslog-server.conf | |||
<SyntaxHighlight> | |||
# | |||
## Set the certificates to use | |||
# | |||
global( | |||
DefaultNetstreamDriver="gtls" | |||
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem" | |||
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/syslog.server.de-cert.pem" | |||
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/syslog.server.de-key.pem" | |||
) | |||
# | |||
## load input module TCP and force TLS | |||
# | |||
module( | |||
load="imtcp" | |||
StreamDriver.Name="gtls" | |||
StreamDriver.Mode="1" | |||
StreamDriver.Authmode="anon" | |||
) | |||
# | |||
## Dynamic file template for logging into <host>/facility>.log | |||
# | |||
template (name="DynFile" type="string" string="/var/log/remote/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log") | |||
# | |||
## Ruleset to log with the dynamic file name "DynFile" from above | |||
# | |||
ruleset(name="fromremote") { | |||
action(type="omfile" dynafile="DynFile") | |||
stop | |||
} | |||
# | |||
## start up TCP listener at port 6514 and bind ruleset "fromremote" from above | |||
# | |||
input( | |||
type="imtcp" | |||
port="6514" | |||
ruleset="fromremote" | |||
) | |||
</SyntaxHighlight> | |||
===Client=== | |||
/etc/rsyslog.d/syslog-client.conf | |||
<SyntaxHighlight> | |||
# | |||
## Set CA certificate to use | |||
# | |||
global( | |||
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem" | |||
) | |||
# | |||
## Set up the action for logging to remote syslog server with TLS | |||
# | |||
ruleset(name="remotesyslog") { | |||
action( | |||
name="syslogserver" | |||
type="omfwd" | |||
protocol="tcp" | |||
target="syslog.server.de" | |||
port="6514" | |||
StreamDriver="gtls" | |||
StreamDriverMode="1" | |||
StreamDriverAuthMode="anon" | |||
) | |||
} | |||
</SyntaxHighlight> | |||
/etc/rsyslog.d/firewall.frule | |||
<SyntaxHighlight> | |||
# | |||
# firewall messages into separate file and stop their further processing | |||
# | |||
if ($syslogfacility-text == 'kern') and \ | |||
($msg contains 'IN=' and $msg contains 'OUT=') \ | |||
then { | |||
-/var/log/firewall | |||
call remotesyslog | |||
stop | |||
} | |||
</SyntaxHighlight> | |||
/etc/rsyslog.d/auth.frule | |||
<SyntaxHighlight> | |||
if ( $syslogtag == 'login:' ) or \ | |||
( ( $programname == 'sshd' ) and \ | |||
( \ | |||
( $msg contains 'Accepted publickey for' ) or \ | |||
( $msg contains 'Received disconnect' ) or \ | |||
( $msg contains 'Disconnected from user' ) \ | |||
) \ | |||
) \ | |||
then { | |||
-/var/log/auth.log | |||
call remotesyslog | |||
stop | |||
} | |||
</SyntaxHighlight> | |||
Revision as of 14:47, 23 March 2023
Logging via TLS
Server
/etc/rsyslog.d/syslog-server.conf
#
## Set the certificates to use
#
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/syslog.server.de-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/syslog.server.de-key.pem"
)
#
## load input module TCP and force TLS
#
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)
#
## Dynamic file template for logging into <host>/facility>.log
#
template (name="DynFile" type="string" string="/var/log/remote/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log")
#
## Ruleset to log with the dynamic file name "DynFile" from above
#
ruleset(name="fromremote") {
action(type="omfile" dynafile="DynFile")
stop
}
#
## start up TCP listener at port 6514 and bind ruleset "fromremote" from above
#
input(
type="imtcp"
port="6514"
ruleset="fromremote"
)Client
/etc/rsyslog.d/syslog-client.conf
#
## Set CA certificate to use
#
global(
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
)
#
## Set up the action for logging to remote syslog server with TLS
#
ruleset(name="remotesyslog") {
action(
name="syslogserver"
type="omfwd"
protocol="tcp"
target="syslog.server.de"
port="6514"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="anon"
)
}/etc/rsyslog.d/firewall.frule
#
# firewall messages into separate file and stop their further processing
#
if ($syslogfacility-text == 'kern') and \
($msg contains 'IN=' and $msg contains 'OUT=') \
then {
-/var/log/firewall
call remotesyslog
stop
}/etc/rsyslog.d/auth.frule
if ( $syslogtag == 'login:' ) or \
( ( $programname == 'sshd' ) and \
( \
( $msg contains 'Accepted publickey for' ) or \
( $msg contains 'Received disconnect' ) or \
( $msg contains 'Disconnected from user' ) \
) \
) \
then {
-/var/log/auth.log
call remotesyslog
stop
}
