DOWNDLOAD

Sax2 Intrusion Prevention System

  • Prevent hacker & virus attacks
  • Securing your network & business
Read More…
Free Download

How to Configure and Optimize Rsyslog on Debian: A Step-by-Step Guide

AndyHuang

Rsyslog is an open-source software utility used for forwarding log messages in UNIX and Unix-like computer systems over IP networks and collecting logs. It implements the basic syslog protocol, extending it with content-based filtering, rich filtering capabilities, flexible configuration options, and features such as TCP transport.

1. Configure the environmentSystem: Debian2. Rsyslog ConfigurationBasically, Linux systems have the Rsyslog service installed but not enabled. Simply modifying the configuration file allows its use.First, if Rsyslog is not installed, install it using (sudo apt-get install rsyslog), ensure logging port 514 is listening. Edit the /etc/rsyslog.conf file as follows:

#provides UDP syslog reception#$ModLoad imudp#$UDPServerRun 514#provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514

Modify to:

#provides UDP syslog reception$ModLoad imudp$UDPServerRun 514#provides TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514

Save and restart the service with service rsyslog restart

vim /etc/default/rsyslog. (-r to allow receiving external log messages. -x to disable incomplete dns records or other log center logs)RSYSLOGD_OPTIONS=”-c5 -r -x” Note 1Save and exitRestart rsyslog

 service rsyslog restart

Check if it has started

 netstat -nultp | grep 514
Ensure that the firewall allows 514tcp/udp ports

To save incoming logs based on IP, simply add the following configuration:

:FROMHOST-IP,isequal, "sending host IP" save path:FROMHOST-IP,isequal, "192.168.1.80" /var/log/rsyslog/192.168.1.80/Snort.log:FROMHOST-IP,isequal, "192.168.1.127" /var/log/rsyslog/192.168.1.127/Ossec.log

Note:1. Add the -r option to allow receiving external log messages# Add -x to disable incomplete dns records or other log center logs# Add -m to modify syslog’s internal mark message write interval time (0 to turn off). For example, -m 180 means adding a timestamp message to the log file every 180 minutes (8 times a day)# Add -h By default syslog does not send received messages from remote to other hosts, but this option enables it, allowing all received information to be forwarded to the @host defined in syslog.conf.

Related posts:

  1. How to Avoid Phishing Scams
  2. Block bad ICMP messages to Prevent ICMP attacks
  3. DNS spoofing
  4. How to Prevent Denial of Service Attack (DDoS Attack)