Introduction

Syslog is a message logging standard that allows software and operating systems to store messages about their operations. It’s often used for system and security management, as well as for software debugging and general usage information. Many devices, including but not limited to software, operating systems, network devices (i.e. routers, firewalls and switches) use syslog to capture information.

Because so many devices use syslog, it’s often useful to create a central repository that accepts and stores syslog messages from multiple devices. From a security perspective, a central syslog server:

  1. Guarantees a redundant copy of logs in case a system is lost (due to crash or other catastrophe) or tampered with
  2. Can be configured, along with other software, to provide alerts on suspicious activity such as a failed login attempts
  3. Can run security analytics to identify and present security trends and anomalies. This is usually done with third party software such as Elastic (free and paid versions), ManageEngine (paid), or NetWitness (free and paid).
In this article we will show you how to set up a central syslog server and send log data to it from another server.

Prerequisites

For this example, to redirect logs to a central syslog server you will need the following:

For the central logging server

  1. A host running Ubuntu 16.04 or later
  2. A non-root user configured with sudo privileges
  3. Rsyslogd installed (we'll show you how)
  4. Access to any upstream firewalls/routers (if you need to open ports for syslog traffic)

For a Linux host sending logs to the central server

 

  1. A host running Ubuntu 16.04 or later
  2. A non-root users configured with sudo privileges
  3. Rsyslogd installed (we'll show you how)

In this article we'll use another Linux host as an example of a system sending its logs to the central syslog server. However, you can configure syslog on many other types of systems such as routers, firewalls, printers, and even Windows with the right software installed.

When purchasing a device, check with its manufacturer to see if syslog capabilities are included. Manufacturers of network devices and software known to support syslog include, but are not limited to, ASUS, Cisco, DD-WRT, Juniper, Linksys and Netgear.

Steps for Redirecting Logs

Step 1: Prepare the Central Syslog Server

To configure the central server to accept and store logs we must install rsyslogd. This is a Linux system utility that provides support for local and remote logging.

Install rsyslog by issuing the following command:

sudo apt-get install rsyslog

It’s quite possible that rsyslog is already installed. If so, that's fine.

Edit the rsyslog configuration file by issuing the following command:

sudo vim /etc/rsyslog.conf

We need to allow the syslog server to accept connections from other hosts. To do that, un-comment the following lines (remove the # at the beginning of the line) so that they look like the following:

# provides TCP syslog reception 
 $ModLoad imtcp 
 $InputTCPServerRun 514

We also need to tell the syslog server what to do with incoming logs as they come in. In this example we will file incoming logs by folder. Each folder will be labeled with the hostname and IP address that it came from.

Add the following directly underneath the TCP directives we just changed:

# file incoming logs by folder according to hostname/ip 
 $template FILENAME,"/var/log/remote/%HOSTNAME%-%fromhost-ip%/syslog.log" 
 *.* ?FILENAME

Save your changes and exit the text editor.

Restart the syslog server by issuing the following command:

sudo /etc/init.d/rsyslog restart

Finally, make sure that there is connectivity between your central logging server and the systems that will send logs to it. That means opening up ports on any firewalls in front of your server.

All done - for now. Let's proceed to the next step to configure another server to send its logs to the central server.

Step 2: Configure a Linux Server to Send Logs to the Central Server

Install rsyslog by issuing the following command:

sudo apt-get install rsyslog

Again, it’s possible that rsyslog is already installed.

Edit the rsyslog configuration file:

sudo vim /etc/rsyslog.conf

Add the following to the end of the file, where remote-server is the IP or hostname of your central logging server:

# send logs to remote server 
 *.*@@remote-server:514

When done, save and exit the configuration file.

Restart the syslog server by issuing the following command:

sudo /etc/init.d/rsyslog restart

Step 3: Watch it Go

On the central logging server, issue the following command:

sudo ls /var/log/remote

Assuming that everything is configured correctly, you should see a separate directory for each system sending logs to your server. Inside each directory is a syslog.log file with the logs from the corresponding system.

Conclusion

That's all there is to it, but we encourage you to experiment further with rsyslog. You can separate information from different processes into separate files, configure retention policies for your logs, and much more.

You just took a huge step toward better understanding your network and protecting it from security threats. Just be sure to review and analyze your logs on a regular basis. They don't do any good if you don't look at them.

Happy logging!

Start 15-day Trial

Every Secure Content Delivery Plan includes WAF and DDoS mitigation.

Choose plan