Before you begin

Determine the Blumira sensor you will use as a syslog server to collect log data. On the sensor detail screen, under Host Details, copy the IP address of your Blumira sensor to use in later steps.

Configuring Linux System Logs

Check Rsyslog

Determine the version of rsyslog you’re currently using:

rsyslogd -v

If the command is not found, install rsyslog on your server. This is fairly rare and you may want to check into the up-to-dateness or method of installation used to setup the server.

If you’re using apt repo release, such as Debian or Ubuntu, run the following:

sudo apt-get install rsyslog

If you’re using yum repo release, such as RHEL or CentOS, run the following:

sudo yum install rsyslog

In either case, so long as your Rsyslog version is above 2.x the below setup process should work for your server.

Set up Rsyslog

Open or create the new Blumira configuration file for Rsyslog:

sudo vim /etc/rsyslog.d/23-blumira.conf

You can also use nano, emacs, of your preferred text editor.  The file just must be located at /etc/rsyslog.d/23-blumira.conf.

Copy and paste the following content into the file:

# Setup Disk Queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName blumiraRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

# Define BluFormat for parsing
$template BluFormat,"<%pri%> BLUNIX %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

# Send messages to Blumira Sensor
# Be sure to change <sensor_ip> to your Sensor's IP
*.* @@<sensor_ip>:514;BluFormat

# Run the following if wanting to use local output:
# sudo touch /var/log/blumira.log && sudo chmod 640 /var/log/blumira.log && sudo chown syslog:adm /var/log/blumira.log
# *.* /var/log/blumira.log;BluFormat # Local Debugging

All that is required at this step is to change the <sensor_ip> to your local Blumira Sensor’s IP.

If you want to test locally, you can uncomment the last line and run the command above it to view logs passing to the Blumira Sensor.

Restart the Service

Restart the rsyslog service to start processing incoming data via the new configuration.

sudo /etc/init.d/rsyslog restart

or

sudo service rsyslog restart

That’s all that is required to send logs to the Blumira Sensor and Platform, Blumira will ingest all logs within the host, such as system and local authentication via the *.* specification in the above configuration.

Additional Tweaks

Fail2Ban

Blumira recommends installing fail2ban if SSH is being utilized, even internally, on the host.  This further enhances failed auth logs and provides for quick response against brute force.

sudo apt-get install fail2ban

or

sudo yum install fail2ban

Copy and paste the following content into a new file /etc/fail2ban/jail.local

[DEFAULT] ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
[sshd] enabled = true

Then restart the service for your version of *nix.

sudo /etc/init.d/fail2ban restart

or

sudo service fail2ban restart