Before you begin
Determine the Blumira sensor you will use as a syslog server to collect log data. On the sensor detail screen, under Host Details, copy the IP address of your Blumira sensor to use in later steps.
Configuring Linux System Logs
Check Rsyslog
Determine the version of rsyslog you’re currently using:
rsyslogd -v
If the command is not found, install rsyslog on your server. This is fairly rare and you may want to check into the up-to-dateness or method of installation used to setup the server.
If you’re using apt repo release, such as Debian or Ubuntu, run the following:
sudo apt-get install rsyslog
If you’re using yum repo release, such as RHEL or CentOS, run the following:
sudo yum install rsyslog
In either case, so long as your Rsyslog version is above 2.x the below setup process should work for your server.
Set up Rsyslog
Open or create the new Blumira configuration file for Rsyslog:
sudo vim /etc/rsyslog.d/23-blumira.conf
You can also use nano, emacs, of your preferred text editor. The file just must be located at /etc/rsyslog.d/23-blumira.conf.
Copy and paste the following content into the file:
# Setup Disk Queues $WorkDirectory /var/spool/rsyslog # where to place spool files $ActionQueueFileName blumiraRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down # Define BluFormat for parsing $template BluFormat,"<%pri%> BLUNIX %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" # Send messages to Blumira Sensor # Be sure to change <sensor_ip> to your Sensor's IP *.* @@<sensor_ip>:514;BluFormat # Run the following if wanting to use local output: # sudo touch /var/log/blumira.log && sudo chmod 640 /var/log/blumira.log && sudo chown syslog:adm /var/log/blumira.log # *.* /var/log/blumira.log;BluFormat # Local Debugging
All that is required at this step is to change the <sensor_ip> to your local Blumira Sensor’s IP.
If you want to test locally, you can uncomment the last line and run the command above it to view logs passing to the Blumira Sensor.
Restart the Service
Restart the rsyslog service to start processing incoming data via the new configuration.
sudo /etc/init.d/rsyslog restart
or
sudo service rsyslog restart
That’s all that is required to send logs to the Blumira Sensor and Platform, Blumira will ingest all logs within the host, such as system and local authentication via the *.* specification in the above configuration.
Additional Tweaks
Fail2Ban
Blumira recommends installing fail2ban if SSH is being utilized, even internally, on the host. This further enhances failed auth logs and provides for quick response against brute force.
sudo apt-get install fail2ban
or
sudo yum install fail2ban
Copy and paste the following content into a new file /etc/fail2ban/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 3600 findtime = 600 maxretry = 5 [sshd] enabled = true
Then restart the service for your version of *nix.
sudo /etc/init.d/fail2ban restart
or
sudo service fail2ban restart