Enabling Logging using rsyslog in Linux

Logging is used to track unauthorized user behavior on systems and protect the system from malicious users or users with elevated privileges. The rsyslog package is used for logging purpose. The rsyslog is a replacement for the syslogd daemon with a focus on security and reliability. It provides connection-oriented(TCP) transmission of logs, writing to databases, email alerting and the encryption of log data en route to the central logging server.

Installing rsyslog

The rsyslog package is a third party package that provides many enhancements to syslog, such as multi-threading, TCP communication, encryption, message filtering and database support.

Solution:
# yum install rsyslog

Enabling rsyslog Service

The syslog service should be turned off and the rsyslog service should be turned on.

Solution:
# chkconfig syslog off
# chkconfig rsyslog on

/etc/rsyslog.conf Configuration

The /etc/rsyslog.conf is used to configure the rsyslogd rules for logging and which files are to be used to log.

Solution:
Modify the following lines in the /etc/rsyslog.conf file appropriately for the environment:

auth,user.* /var/log/messages
kern.* /var/log/kern.log
daemon.* /var/log/daemon.log
syslog.* /var/log/syslog lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log

Restart rsyslogd

# pkill -HUP rsyslogd

/etc/rsyslog.conf File Permissions

Create logfiles as listed in the /etc/rsyslog.conf file and set proper permissions.

Solution:
Create and go the /var/log/ directory
# touch
# chown root:root
# chmod og-rwx

Sending Logs to the Log Host

The logs should be sent to a remote log host to protect logs integrity from local attacks.

Solution:
Edit the /etc/rsyslog.conf file and add the following line and replace loghost.loghost.com with name of your central log host:

*.* @@loghost.loghost.com

Restart rsyslogd

# pkill -HUP rsyslogd

InputTCPServerRun Setting

The InputTCPServerRun setting instructs rsyslogd to listen on the specified TCP port. This provides protection from spoofed log data

Solution:
In hosts that are designated as log hosts, edit the /etc/rsyslog.conf file and un-comment the below lines:

$ModLoad imtcp.so
$InputTCPServerRun 514

Restart rsyslogd service

# pkill -HUP rsyslogd

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>