Syslog

Syslog – Enabling rsyslog for Ubuntu

Reading Time: 3 minutes

In this article we are going to talk about deploying syslog for Ubuntu. Since syslog is already installed in Ubuntu this will be a fairly short article – in theory.  Despite that this is really a “foundation” type subject matter and is a worthy subject to talk about.

In this lab example I am using a standard Ubuntu image. I am using 1 CPU, 1 G of memory, and 16 G disk.  From my LAB image I am using the address 192.168.160.18.  My host name is set to the name “syslog”

I am setting up NTP to sync to a local NTP server that is serving as my Stratum 1 source.  In my lab environment I am using 192.168.160.18 for the NTP server.   I will install a few items that are not installed by default.

We are going to review the following components

  • Establishing Time – Configure NTP
  • Install rsyslog
  • Enabling traditional TCP/UDP 514 for SYSLOG
  • Configuring Multipath DM
  • Troubleshot/test

PART 1: Establishing Time

root@syslog:/var/log# apt-get install ntp -y

and

root@syslog:/var/log# apt-get install ntpdate -y

PART 2: Installing rsyslog

root@syslog:/var/log# apt-get install rsyslog
Reading package lists... Done
Building dependency tree
Reading state information... Done
rsyslog is already the newest version (8.32.0-1ubuntu7).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

This update confirms what I have already stated which is rsyslog is already installed.  At the time of this writing is up to date.

PART 3: Enable traditional network SYSLOG messages

It’s funny but the system comes configure to SYSLOG some traffic. But it does NOT by default enable traditional UDP 514 and TCP 514 SYSLOG traffic. To enable this we are going to need to do a bit of editing.

Change over to /etc and edit rsyslog.conf

root@syslog:/etc# vim rsyslog.conf

You are going to need to scrool down a few lines and uncomment the beginning of 4 lines. This is to enable to UDP and TCP on ports 514

PART 4: Edit Mutipath

Now I am putting this section in here to save myself trouble in the future. As I do a log of work from virtual machines I run into the same conditions a lot. In my case if I were to look at the SYSLOG file I would see a lot of chatter.

We are going to talk about configuring Linux DM Muiltipath io configuration. Think of this as a the module that provides a method for failover communication. The DM Multipath configuration is configured by default for a number of options.

  • Load balancing — The workload is distributed across the available like interfaces
  • Path failover and recovery — Utilizes redundant I/O channels

We can limit some of the unused configs which will keep the module from spitting out SYSLOG errors every few seconds.

Next we are going to edit:

root@syslog:/etc# vim multipath.conf

You are going to want to add the blacklist section that is marked by the red-arrow. This will filter out messages for these devices. It’s common for VMs not to have certain devices. These devices can be filtered out which should keep the multipath io module from having to search for and configure these devices.

PART 5 .  Troubleshoot/Test

First a word about the utility Logger.  This is part of the util-linux package and also will already be installed.

Let’s first reload the multipathd daemon so that it picks up the new configuration.

service multipathd reload

Now let’s reload rsyslog service.

systemctl stop rsyslog
systemctl start rsyslog

We can test the logging facility.

logger -T -P 514 -n 192.168.160.18 "B@TTERup"

And now we can examine the results.

root@syslog:/var/logs tail --lines 1 syslog
Dec 29 16:43:59 syslog user B@TTERup

So at this time in my lab environment we have a box up and running.  We have NTP synchronized.  We have SYSLOG service up and running and we have seen that we are logging events.

Now you can install host logging utility such as NXLog or Snare on a workstation and configure it to forward event logs over via syslog.

root@syslog:/var/log# tail --lines 1 syslog
Dec 29 12:57:54 SPARE-001.sparedomain.net MSWinEventLog#0116#011Application#011290#011Sun Dec 29 12:57:53 2019#0111040#011MsiInstaller#011S-1-5-21-2802390264-3357319413-3790737517-500#011N/A#011Information#011SPARE-001.sparedomain.net#0110#011Beginning a Windows Installer transaction: {C44F38F6-424B-4446-9457-B151B2EB7313}. Client Process Id: 6304.
root@syslog:/var/log#

See Also:

  • Snare – System iNtrusion Analysis and Reporting Environment
  • NXLog
  • Splunk Universal Forwarder
  • syslog-ng (windows agent is commercial software from by One Identity)
    https://www.syslog-ng.com/community/b/blog/posts/when-to-use-the-syslog-ng-agent-for-windows
  • SYSLOG – Sumologic
  • GRAYLOG
  • WINLOGBEAT
  • Kiwi Event Forwarder For Windows (currently owned by Solarwinds)
    https://www.solarwinds.com/free-tools/event-log-forwarder-for-windows

References:

https://en.wikipedia.org/wiki/Linux_DM_Multipath
https://ubuntu.com/server/docs/device-mapper-multipathing-introduction
https://www.tecmint.com/install-rsyslog-centralized-logging-in-centos-ubuntu/
https://www.howtoforge.com/how-to-setup-rsyslog-server-on-ubuntu-1804/
https://en.wikipedia.org/wiki/Snare_(software)
https://www.syslog-ng.com/community/b/blog/posts/when-to-use-the-syslog-ng-agent-for-windows
https://www.sumologic.com/lp/syslog
https://github.com/syslog-ng/syslog-ng

Related posts

Splunk and SYSLOG

Tom Hamilton