1.Operation objectives and application scenarios

To facilitate log monitoring and prevent log tampering, it is common in working environments to use rsyslog to set up a log server for storing logs from other servers. rsyslog supports the remote sending and receiving of logs.

rsyslog client: Responsible for sending logs to the remote log server, supporting udp, tcp, relp protocols.

rsyslog server: Responsible for receiving logs sent by the client and storing them locally, supporting file storage and database storage methods.

For intrusion investigation, the authentication logs, scheduled task logs, and historical commands of the operating system are very important. To strengthen log management, it is required to save the corresponding log information of each system to a dedicated rsyslog log server. The format for saving the log path is: Source IP address/Facility name (log category)/YearMonth.log.

2.Platform and tool versions

Software: rsyslog

Log client (sender): CentOS 7

Log server (receiver): CentOS 7

3.Operation steps

(I)Log clientConfiguration

1、 Send authentication and scheduled task logs (auth, authpriv, cron)

Edit the rsyslog service configuration file by running 'vi /etc/rsyslog.conf' and add a line at the end of the file

auth.*;authpriv.*;cron.* @@192.168.43.234:514

One '@' represents sending logs via the UDP protocol; here there are two '@' symbols, indicating that logs are transmitted using the TCP method. Compared to UDP, TCP transmission is more stable.

Save and exit. In this way, while the authentication and scheduled task logs are saved locally, they are also saved on the remote log server.

2. Send historical commands

(1) Configure the sending of historical commands for the root account

Edit the configuration file for 'root' by running 'vi /root/.bashrc' and add the following content at the end of the file

function log2syslog
{
   declare command
   command=$(fc -ln -0)
   logger -p local1.notice -t bash -i — $USER : "$command"

}
trap log2syslog DEBUG

Save and exit

The 'fc' is a built-in shell command used to retrieve command history, where '$(fc -ln -0)' returns the most recently executed command.

The 'logger' command sends messages to the system log, where '-p' sets the facility name to 'local1' and the priority to 'notice'.

Ensure that the double quotes are present around the '$command'.

(2) Configure the sending of historical commands for a normal user

Edit the configuration file for the 'sec' user by running 'vi /home/sec/.bashrc' and add the following content at the end of the file

function log2syslog

{

   declare command

   command=$(fc -ln -0)

   logger -p local1.notice -t bash -i — $USER : "$command"

}

trap log2syslog DEBUG

Save and exit

(3) Modify user configuration template

vi /etc/skel/.bashrc  //Edit the .bashrc file in the user configuration template directory and add the following content

function log2syslog

{

   declare command

   command=$(fc -ln -0)

   logger -p local1.notice -t bash -i — $USER : "$command"

}

trap log2syslog DEBUG

Save and exit. After this file is modified, the .bashrc file of the new user created by the system will contain the instructions to send historical commands mentioned above.

3、 Configure rsyslogService

vi /etc/rsyslog.conf  //Edit the configuration file

//Add local1.none to the following line

*.info;mail.none;authpriv.none;cron.none;local1.none  /var/log/messages

//The meaning of local1.none is that messages with facility name local1 will not be written to the file specified in this line. As a result, the history of local user commands will not be saved in the messages file. (The command history is already saved in the user's .bash_history file by default.)

//Add a line at the end of the document to send historical commands to the log server

local1.notice @@192.168.43.234:514

Save and exit.

systemctl restart rsyslog  //Restart the service to make the configuration changes take effect

(II)Log serverConfiguration

1、 rsyslog serviceConfiguration

vi /etc/rsyslog.conf  //Uncomment the following two lines

$ModLoad imtcp

$InputTCPServerRun 514

//Comment out the original ActionFileDefaultTemplate directive (use the traditional format)

#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

//Use a custom time format

$template myformat,"%$NOW% %TIMESTAMP:8:15% %hostname% %syslogtag% %msg%\n"

$ActionFileDefaultTemplate myformat

//Write the following line before the RULES section

$template local1_path, "/var/log/%FROMHOST-IP%/bash_history/%$YEAR%%$MONTH%.log"

$template remote_path, "/var/log/%FROMHOST-IP%/%syslogfacility-text%/%$YEAR%%$MONTH%.log"

if $fromhost-ip != '127.0.0.1' and $syslogfacility-text == 'local1' then ?local1_path

& ~

if $fromhost-ip != '127.0.0.1' then ?remote_path

& ~

Save and exit.

$template defines two templates, named 'local1_path' and 'remote_path', and specifies the path to the log file where the messages will be saved after the template name.

Instructions starting with 'if' are based on expression filters. The meaning of the first 'if' instruction is that if the source IP address of the log message is not from this machine, and the syslogfacility-text of the message is local1, then this message will be written to the file corresponding to the template 'local1_path'.

The meaning of & ~ is to make messages that meet the conditions of the above filter no longer match the subsequent rules. By default, log messages will match each rule in rsyslog.conf in order. & ~ here will make the message skip the following rules, so this message will no longer be written to other log files.

The second instruction starting with 'if' will write all log messages from outside this machine (due to the previous & ~, only auth, authpriv, and cron messages meet this condition) to the file corresponding to 'remote_path'.

systemctl restart rsyslog //restart service

2. Firewall Configuration

firewall-cmd --zone=public --add-port=514/tcp

4.Summary

Through the above configuration, logs sent by different log clients can be saved separately, allowing for quick access to the corresponding logs in the event of a security incident. Additionally, the rsyslog server can also be configured as a relay, which is quite simple; just configure the log server as a rsyslog client. In this way, after the rsyslog server receives the logs, it retains a copy locally and also sends them out, for example, to audit devices or log display platforms such as graylog, ELK, and others.