Ubuntu log integration

Log Integration Guide

Log Integration procedure:

Follow these steps to configure log forwarding to a remote syslog server.

1. Install syslog package if you haven’t installed it by executing the below command:

# apt-get install rsyslog

1. Checking the rsyslog.conf

Open a rsyslog.conf file located at /etc/rsyslog.conf by following command.

vim /etc/rsyslog.conf

At the end of the file check for the following line and uncomment 2ndline

#Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

Uncomment the below lines as well

# provides UDP syslog reception

module(load="imudp")

input(type="imudp" port="12514")

Add below line at the end of the file.

*.* @<Log Collector IP>:12514

Log Collector IP: [Log Collector IP of specific branch]

Save and quit the configuration file.

Open auditd.conf file located at /etc/audit/auditd.conf by following command.

#vim /etc/audit/auditd.conf

log_group = syslog

save and quit the config file.

Restart auditd service to reflect the changes.

# Systemctl restart auditd.service

Create log configuration for Audit logs with following command:

#vim /etc/rsyslog.d/auditlog.conf

and paste following lines below:

$ModLoad imfile

#auditd audit.log

$InputFileName /var/log/audit/audit.log ##path of log file

$InputFileTag tag_audit_log:

$InputFileStateFile audit_log

$InputFileSeverity info

$InputFileFacility local6

$InputFilePollInterval 1

$InputFilePersistStateInterval 1

$InputRunFileMonitor

local6.* @<Log Collector IP>:12514

Log Collector IP: [Log Collector IP of specific branch]

Save and Quit the configuration file.

Navigate to the following directory /create a file using the below command and paste the entire content of the file (all lines) from the git URL

#vim /etc/audit/rules.d/audit.rules

https://github.com/Neo23x0/auditd/blob/master/audit.rules

save and quit the file.

Restart rsyslog service

sudo systemctl restart rsyslog

Verify the syslog status

sudo systemctl status rsyslog