# Ubuntu log integration

**Log Integration Guide**

**Log Integration procedure:**

Follow these steps to configure log forwarding to a remote syslog server.

1. Install syslog package if you haven’t installed it by executing the below command:

`# apt-get install rsyslog`

1. Checking the rsyslog.conf

Open a rsyslog.conf file located at /etc/rsyslog.conf by following command.

`vim /etc/rsyslog.conf`

At the end of the file check for the following line and uncomment 2ndline

`#Include all config files in /etc/rsyslog.d/`

$IncludeConfig /etc/rsyslog.d/\*.conf

![](https://2078222076-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MMRHZBPHlLDUc8519fX%2Fuploads%2FPO9QOoHps2pYwwBUIDGB%2Fcf9a3b3d%20e32e%204e34%20a333%2080b66317911f.png?alt=media)

Uncomment the below lines as well

\# provides UDP syslog reception

`module(load="imudp")`

`input(type="imudp" port="12514")`

![A screen shot of a computerDescription automatically generated](https://2078222076-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MMRHZBPHlLDUc8519fX%2Fuploads%2F7GGYFpstjvEz7tlaJ0H4%2F577ffb71%20923d%204f6f%20807f%209b7bcaf767e2.png?alt=media)

Add below line at the end of the file.

`*.* @<Log Collector IP>:12514`

Log Collector IP: \[Log Collector IP of specific branch]

![A screenshot of a computerDescription automatically generated](https://2078222076-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MMRHZBPHlLDUc8519fX%2Fuploads%2FZuVUVFVJ7yjl6oYdMQ1N%2F4a7caae9%20c0c9%20452c%208a1e%204ad676c894b0.png?alt=media)

Save and quit the configuration file.

Open **auditd.conf** file located at **/etc/audit/auditd.conf** by following command.

`#vim /etc/audit/auditd.conf`

log\_group = syslog

save and quit the config file.

Restart auditd service to reflect the changes.

`# Systemctl restart auditd.service`

Create log configuration for Audit logs with following command:

`#vim /etc/rsyslog.d/auditlog.conf`

and paste following lines below:

`$ModLoad imfile`

`#auditd audit.log`

`$InputFileName /var/log/audit/audit.log ##path of log file`

`$InputFileTag tag_audit_log:`

`$InputFileStateFile audit_log`

`$InputFileSeverity info`

`$InputFileFacility local6`

`$InputFilePollInterval 1`

`$InputFilePersistStateInterval 1`

`$InputRunFileMonitor`

`local6.* @<Log Collector IP>:12514`

Log Collector IP: \[Log Collector IP of specific branch]

Save and Quit the configuration file.

![](https://2078222076-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MMRHZBPHlLDUc8519fX%2Fuploads%2FaMwd4RryJNxgLgDGfPEY%2Fbb097092%20ac8b%2041bb%208dc9%2031ef55ee47b4.png?alt=media)

Navigate to the following directory /create a file using the below command and paste the entire content of the file (all lines) from the git URL

`#vim /etc/audit/rules.d/audit.rules`

<https://github.com/Neo23x0/auditd/blob/master/audit.rules>

save and quit the file.

Restart rsyslog service

`sudo systemctl restart rsyslog`

Verify the syslog status

`sudo systemctl status rsyslog`

![A screenshot of a computerDescription automatically generated](https://2078222076-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MMRHZBPHlLDUc8519fX%2Fuploads%2FpdgavK3eoJDOgEbNeCkm%2F566c884d%20a91f%204bc3%209b7d%20254ab3ee70d6.png?alt=media)