Ubuntu log integration
Log Integration Guide
Log Integration procedure:
Follow these steps to configure log forwarding to a remote syslog server.
Install syslog package if you haven’t installed it by executing the below command:
# apt-get install rsyslog
Checking the rsyslog.conf
Open a rsyslog.conf file located at /etc/rsyslog.conf by following command.
vim /etc/rsyslog.conf
At the end of the file check for the following line and uncomment 2ndline
#Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
Uncomment the below lines as well
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="12514")
Add below line at the end of the file.
*.* @<Log Collector IP>:12514
Log Collector IP: [Log Collector IP of specific branch]
Save and quit the configuration file.
Open auditd.conf file located at /etc/audit/auditd.conf by following command.
#vim /etc/audit/auditd.conf
log_group = syslog
save and quit the config file.
Restart auditd service to reflect the changes.
# Systemctl restart auditd.service
Create log configuration for Audit logs with following command:
#vim /etc/rsyslog.d/auditlog.conf
and paste following lines below:
$ModLoad imfile
#auditd audit.log
$InputFileName /var/log/audit/audit.log ##path of log file
$InputFileTag tag_audit_log:
$InputFileStateFile audit_log
$InputFileSeverity info
$InputFileFacility local6
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local6.* @<Log Collector IP>:12514
Log Collector IP: [Log Collector IP of specific branch]
Save and Quit the configuration file.
Navigate to the following directory /create a file using the below command and paste the entire content of the file (all lines) from the git URL
#vim /etc/audit/rules.d/audit.rules
https://github.com/Neo23x0/auditd/blob/master/audit.rules
save and quit the file.
Restart rsyslog service
sudo systemctl restart rsyslog
Verify the syslog status
sudo systemctl status rsyslog
Last updated
