Configure rsyslog to create logs for each device in their own folders

Configuring rsyslog to split the logs by device IP and rotate the logs on daily basis


The following steps apply to a new installation of Ubuntu 16, with the default rsyslog settings

1. Modify the rsyslog configuration file, /etc/rsyslog.conf and uncomment the settings for the UDP listener:

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

This will instruct rsyslog to listen on UDP/514 for syslog messages. Adjust these according for other ports or if TCP is needed (see the # provides TCP syslog reception) setting.

At the end of the file, after the line:

$IncludeConfig /etc/rsyslog.d/*.conf

Add:

$template DailyPerHost,"/var/log/syslog_devices/%HOSTNAME%/%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHost

These settings will create individual logs for each logging device under the /var/log/syslog_devices folder. The logs will be rotated on daily basis. For example, a device with hostname cisco_asa_toronto02 logging on Feb 17, 2018 will be recorded under:

/var/log/syslog_devices/cisco_asa_toronto02/cisco_asa_toronto02-2018-02-17.log

The host name is obtained by reverse DNS - if reverse DNS is not available, the IP address will be used. To use the IP address replace %HOSTNAME% with %FROMHOST-IP%:

$template DailyPerHost,"/var/log/syslog_devices/%FROMHOST-IP%/%FROMHOST-IP%-%$YEAR%-%$MONTH%-%$DAY%.log"
*.* -?DailyPerHost

From my experience, the reverse DNS from rsyslog is not always reliable and you may end up with folders for both the IP address and the host name. For this reason, I am using the IP address if the host name is not needed.

Using the host name is useful if there is a need to have a naming convention for specific devices. For example, you may want all the Cisco ASA firewall logs to be monitored and ingested by your SIEM, you can configure reverse DNS for your ASA firewalls so they all start with the same prefix, such as cisco_asa: cisco_asa_montreal01, cisco_asa_toronto02, etc. and have the SIEM monitor /var/logs/syslog_devices/cisco_asa_*. If the IP addresses are used it is more difficult to manage the aggregation of the log collection process.

After all the changes, restart rsyslog

sudo service rsyslog

Comments

Post a Comment

Popular posts from this blog

Snort on Splunk

Image
Snort configuration on Splunk Snort may be installed on a different server than Splunk but Splunk needs to have access to the MySQL database that stores the Snort events. In our case, we have a dedicated Snort server with a Splunk heavy forwarder installed to send the events to the indexer and the Splunk DB Connect App is installed on the heavy forwarder. Configure Snort 2.9.9.x, Barnyard2, PulledPork and BASE as described in https://s3.amazonaws.com/snort-org-site/production/document_files/files/000/000/122/original/Snort_2.9.9.x_on_Ubuntu_14-16.pdf The document describes the installation in full details for both Ubuntu 14 and 16. Barnyard2 is an open source interpreter for Snort unified2 binary output files. Its primary use is allowing Snort to write to disk in an efficient manner and leaving the task of parsing binary data into various formats to a separate process that will not cause Snort to miss network traffic. - https://github.com/firnsy/barnyard2. Barnyard2 also stores...
Read more

Install Splunk on Ubuntu

Splunk offer installation instructions for Debian, Red Hat and generic tar file installation. There are no specific instructions for Ubuntu. Here is a quick way to install Splunk on Ubuntu 14: 1. Download the Debian (.deb) corresponding version of Splunk (32bit or 64 bit). If you cannot tell exactly what version of Ubuntu you have, use the following command to get the information: uname -a The output should be something similar to: Linux UBUNTU02 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux x86_64 indicates a 64bit version If the upgrade is done from a terminal, you can get the right "wget" download link from Splunk (follow the instructions for downloading a Linux version). It should look something like this: wget -O splunk-7.2.5.1-962d9a8e1586-linux-2.6-amd64.deb 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=7.2.5.1&product=splunk&filename=...
Read more