From d6cb81bb151f7b9dc998cce0376402ed34e25dab Mon Sep 17 00:00:00 2001 From: Christoph Wickert Date: Wed, 15 Sep 2021 16:11:19 +0200 Subject: [PATCH 1/4] New task: Configure a central syslog server --- DC-task-configure-syslog-server | 12 + xml/task-configure-syslog-server.xml | 355 +++++++++++++++++++++++++++ 2 files changed, 367 insertions(+) create mode 100644 DC-task-configure-syslog-server create mode 100644 xml/task-configure-syslog-server.xml diff --git a/DC-task-configure-syslog-server b/DC-task-configure-syslog-server new file mode 100644 index 00000000..3f3f3172 --- /dev/null +++ b/DC-task-configure-syslog-server @@ -0,0 +1,12 @@ +# This file originates from the project https://github.com/openSUSE/doc-kit +# This file can be edited downstream. + +MAIN="task-configure-syslog-server.xml" +ROOTID="task-configure-central-syslog-server" + +PROFCONDITION="suse-product" +#PROFCONDITION="suse-product;beta" +#PROFCONDITION="community-project" + +STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns" +FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns" diff --git a/xml/task-configure-syslog-server.xml b/xml/task-configure-syslog-server.xml new file mode 100644 index 00000000..3f9c4aa9 --- /dev/null +++ b/xml/task-configure-syslog-server.xml @@ -0,0 +1,355 @@ + + + + + %entities; +]> + + + +
+ + + Forwarding log messages to a central log server + + + https://bugzilla.suse.com/enter_bug.cgi + Documentation + Product Name + cwickert@suse.com + + no + + + +
+ Environment + This document applies to the following products and product versions: + + + &sles; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3 + + + &sles4sap; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3 + + + &sleha; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3 + + + &slehpc; 15 SP3, 15 SP2, 15 SP1, 15 GA + + + &sled; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3 + + + &slert; 15 SP3, 15 SP2, 15 SP1, 15 GA, 12 SP5, 12 SP4, 12 SP3 + + +
+ +
+ Introduction + + System log data can be forwarded from individual systems to a central + syslog server on the network. This allows administrators to get an overview + of events on all hosts and prevents attackers that succeed in taking over a + system from manipulating system logs to cover their tracks. + +
+ +
+ Requirements + + + + You have installed your product and your system is up and running. + + + + + The system is connected to the network. + + + + + The rsyslog package is installed on all machines. + If not, run zypper in yast2-mail to install it. + + + + +
+ +
+ Setting up the central syslog server + + Setting up a central syslog server consists of two parts. First you configure + the central logging server, then the clients for remote logging. + +
+ Setting up the central syslog server + + + Configure the central <systemitem>rsyslog</systemitem> server + + To set up a central log server, perform the following steps: + + + + Edit the configuration file + /etc/rsyslog.d/remote.conf. + + + + + Uncomment the following lines in the UDP Syslog Server + or TCP Syslog Server section of the configuration file. + Assign an IP address and port for rsyslogd. + + + TCP example: + + $ModLoad imtcp.so + $UDPServerAddress IP + $InputTCPServerRun PORT + + UDP example: + + $ModLoad imudp.so + $UDPServerAddress IP + $UDPServerRun PORT + + + + IP address of the interface for rsyslogd to listen on. If no address is + given, the daemon listens on all interfaces. + + + + + Port for rsyslogd to listen on. + Select a privileged port below 1024. The default is 514. + + + + + TCP vs. UDP protocol + + Traditionally syslog uses the UDP protocol to transmit log messages over + the network. This involves less overhead but lacks reliability. Log + messages can get lost under high load. + + + + + The TCP protocol is more reliable and should be preferred over UDP. + + + + <literal>UDPServerAddress</literal> with TCP + + The $UDPServerAddress configuration parameter in the + TCP example is no error. Despite its name it is used for both TCP and + UDP. + + + + + + Save the file. + + + + + Restart the rsyslog service: + +&prompt.sudo;systemctl restart rsyslog.service + + + Open the respective port in the firewall. For firewalld with TCP on port 514 run: + +&prompt.sudo;firewall-cmd --add-port 514/tcp --permanent +&prompt.sudo;firewall-cmd --reload + + + + You have now configured the central logging server. Next, configure the + clients for remote logging. + +
+
+ Set up the client machines + + Configure a <guimenu>rsyslog</guimenu> instance for remote logging + + To configure a machine for remote logging on a central log server, perform + the following steps: + + + + Edit the configuration file + /etc/rsyslog.d/remote.conf. + + + + + Uncomment the appropriate line (TCP or UDP) and replace + remote-host with the address of the central log server + set up in . + + + TCP example: + + # Remote Logging using TCP for reliable delivery + # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional + *.* @@remote-host + + UDP example: + + # Remote Logging using UDP + # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional + *.* @remote-host + + + + Save the file. + + + + + Restart the rsyslog service: + + &prompt.sudo;systemctl restart rsyslog.service + + + + Verify the proper function of the syslog forwarding: + + &prompt.user;logger "hello world" + + The log message hello world should now appear on the + central syslog server. + + + + + You have now configured a machine for remote logging to your central log + server. Repeat this procedure for all machines that should log remotely. + +
+
+ +
+ Summary + + You have now configured one or more hosts for remote logging to your central + log server. This allows you to get a quick to get an overview of events in + in your network. + +
+ +
+ Troubleshooting + + In case the test log message does not appear on the log server, perform the + following steps to analyze the problem. + + + + Is rsyslog running? + + + If you made an error in the configuration of rsyslog, the daemon might refuse to start. + Check it is running with + systemctl status rsyslog.service. If the + service is down, the output includes additional information about the + reason. + + + Run this check on both the log server and the remote logging clients. + + + + + Is the firewall open? + + + Check if the firewall on the log server is open with + firewall-cmd --list-all. + + + + +
+ +
+ Next steps + + This basic setup does not include encryption and is only suitable for + trusted internal networks. TLS encryption is strongly recommended but + requires a certificate infrastructure to be set up first. + + + In this setup all messages from remote hosts will be treated the same on the + central syslog server. Consider filtering messages into separate files by + remote host or classify them by message category. + + + For more information about encryption, filtering, and other advanced topics, + consult the RSyslog documentation at + . + +
+ + +
From dabade52fae17a1f7083a6b950f6c2ede25b16a2 Mon Sep 17 00:00:00 2001 From: Christoph Wickert Date: Fri, 8 Oct 2021 11:23:05 +0200 Subject: [PATCH 2/4] Apply suggestions from code review Most but not all suggestions applied, others will follow manually. Co-authored-by: Liam Proven --- xml/task-configure-syslog-server.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/xml/task-configure-syslog-server.xml b/xml/task-configure-syslog-server.xml index 3f9c4aa9..18b31a11 100644 --- a/xml/task-configure-syslog-server.xml +++ b/xml/task-configure-syslog-server.xml @@ -66,7 +66,7 @@ System log data can be forwarded from individual systems to a central syslog server on the network. This allows administrators to get an overview - of events on all hosts and prevents attackers that succeed in taking over a + of events on all hosts, and prevents attackers that succeed in taking over a system from manipulating system logs to cover their tracks. @@ -110,7 +110,7 @@ Configure the central <systemitem>rsyslog</systemitem> server - To set up a central log server, perform the following steps: + To set up a central syslog server, perform the following steps: @@ -156,7 +156,7 @@ TCP vs. UDP protocol Traditionally syslog uses the UDP protocol to transmit log messages over - the network. This involves less overhead but lacks reliability. Log + the network. This involves less overhead, but lacks reliability. Log messages can get lost under high load. The rsyslog package is installed on all machines. @@ -98,7 +106,7 @@ Setting up the central syslog server Setting up a central syslog server consists of two parts. First you configure - the central logging server, then the clients for remote logging. + the central log server, then the clients for remote logging.
Setting up the central syslog server @@ -153,7 +161,7 @@ - TCP vs. UDP protocol + TCP versus UDP protocol Traditionally syslog uses the UDP protocol to transmit log messages over the network. This involves less overhead, but lacks reliability. Log @@ -201,8 +209,8 @@ - You have now configured the central logging server. Next, configure the - clients for remote logging. + You have now configured the central log server. Next, configure the clients + for remote logging.
@@ -270,9 +278,9 @@
Summary - You have now configured one or more hosts for remote logging to your central - log server. This allows you to get a quick to get an overview of events in - in your network. + You have configured one or more hosts for remote logging to your central log + server. This allows you to get a quick to get an overview of events on your + network.
@@ -319,9 +327,9 @@ requires a certificate infrastructure to be set up first. - In this configuration, all messages from remote hosts will be treated the same on the - central syslog server. Consider filtering messages into separate files by - remote host or classify them by message category. + In this configuration, all messages from remote hosts will be treated the + same on the central log server. Consider filtering messages into separate + files by remote host or classify them by message category. For more information about encryption, filtering, and other advanced topics, From 6467d90fb3bb0be330d4c41744a1bc3b611a26c4 Mon Sep 17 00:00:00 2001 From: Christoph Wickert Date: Wed, 10 Nov 2021 20:13:47 +0100 Subject: [PATCH 4/4] Fix screens and consistently use term 'syslog server' --- xml/task-configure-syslog-server.xml | 67 ++++++++++++++-------------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/xml/task-configure-syslog-server.xml b/xml/task-configure-syslog-server.xml index fa975626..b453cbfa 100644 --- a/xml/task-configure-syslog-server.xml +++ b/xml/task-configure-syslog-server.xml @@ -24,7 +24,7 @@ xmlns:xlink="http://www.w3.org/1999/xlink"> - Forwarding log messages to a central log server + Forwarding log messages to a central syslog server https://bugzilla.suse.com/enter_bug.cgi @@ -64,9 +64,9 @@
Introduction - System log data can be forwarded from individual systems to a central - syslog server on the network. This allows administrators to get an overview - of events on all hosts, and prevents attackers that succeed in taking over a + System log data can be forwarded from individual systems to a central syslog + server on the network. This allows administrators to get an overview of + events on all hosts, and prevents attackers that succeed in taking over a system from manipulating system logs to cover their tracks.
@@ -137,14 +137,14 @@ TCP example: $ModLoad imtcp.so - $UDPServerAddress IP - $InputTCPServerRun PORT +$UDPServerAddress IP +$InputTCPServerRun PORT UDP example: $ModLoad imudp.so - $UDPServerAddress IP - $UDPServerRun PORT +$UDPServerAddress IP +$UDPServerRun PORT @@ -168,13 +168,13 @@ messages can get lost under high load. + reliable. Messages will only get lost under + constant high load, which should not occur under + normal circumstances. + + + Since the advantages of centralized logging could suffer from + unreliability, using TCP recommended. --> The TCP protocol is more reliable and should be preferred over UDP. @@ -209,7 +209,7 @@ - You have now configured the central log server. Next, configure the clients + You have now configured the central syslog server. Next, configure clients for remote logging.
@@ -218,8 +218,8 @@ Configure a <guimenu>rsyslog</guimenu> instance for remote logging - To configure a machine for remote logging on a central syslog server, perform - the following steps: + To configure a system for remote logging on a central syslog server, + perform the following steps: @@ -230,21 +230,22 @@ Uncomment the appropriate line (TCP or UDP) and replace - remote-host with the address of the central log server - set up in . + remote-host with the address of the central syslog + server set up in . TCP example: # Remote Logging using TCP for reliable delivery - # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional - *.* @@remote-host +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +*.* @@remote-host UDP example: # Remote Logging using UDP - # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional - *.* @remote-host +# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional +*.* @remote-host @@ -269,8 +270,8 @@ - You have now configured a machine for remote logging to your central log - server. Repeat this procedure for all machines that should log remotely. + You have now configured a system for remote logging to your central syslog + server. Repeat this procedure for all systems that should log remotely. @@ -278,8 +279,8 @@
Summary - You have configured one or more hosts for remote logging to your central log - server. This allows you to get a quick to get an overview of events on your + You have configured one or more hosts for remote logging to your central + syslog server. This allows you to get a quick overview of events on your network.
@@ -287,8 +288,8 @@
Troubleshooting - In case the test log message does not appear on the log server, perform the - following steps to analyze the problem. + In case the test log message does not appear on the syslog server, perform + the following steps to analyze the problem. @@ -303,7 +304,7 @@ reason. - Run this check on both the log server and the remote logging clients. + Run this check on both the syslog server and the remote logging clients. @@ -324,11 +325,11 @@ This basic setup does not include encryption and is only suitable for trusted internal networks. TLS encryption is strongly recommended, but - requires a certificate infrastructure to be set up first. + requires a certificate infrastructure. In this configuration, all messages from remote hosts will be treated the - same on the central log server. Consider filtering messages into separate + same on the central syslog server. Consider filtering messages into separate files by remote host or classify them by message category.