Collection of system log files off of Linux is an important step in gaining visibility into your environment. This article will explain the how to leverage rsyslog to send logs to the Blumira Sensor.
Generally this writeup should work for all mostly-modern Linux operating systems. If you have any issues, please contact [email protected] for additional help.
Determine the version of rsyslog you’re currently using:
If the command is not found, install rsyslog on your server. This is fairly rare and you may want to check into the up-to-dateness or method of installation used to setup the server.
If you’re using apt repo release, such as Debian or Ubuntu, run the following:
sudo apt-get install rsyslog
If you’re using yum repo release, such as RHEL or CentOS, run the following:
sudo yum install rsyslog
In either case, so long as your Rsyslog version is above 2.x the below setup process should work for your server.
Open or create the new Blumira configuration file for Rsyslog:
sudo vim /etc/rsyslog.d/23-blumira.conf
You can also use nano, emacs, of your preferred text editor. The file just must be located at /etc/rsyslog.d/23-blumira.conf.
Copy and paste the following content into the file:
# Setup Disk Queues $WorkDirectory /var/spool/rsyslog # where to place spool files $ActionQueueFileName blumiraRule1 # unique name prefix for spool files $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) $ActionQueueSaveOnShutdown on # save messages to disk on shutdown $ActionQueueType LinkedList # run asynchronously $ActionResumeRetryCount -1 # infinite retries if host is down # Define BluFormat for parsing $template BluFormat,"<%pri%> BLUNIX %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" # Send messages to Blumira Sensor # Be sure to change <sensor_ip> to your Sensor's IP *.* @@<sensor_ip>:514;BluFormat # Run the following if wanting to use local output: # sudo touch /var/log/blumira.log && sudo chmod 640 /var/log/blumira.log && sudo chown syslog:adm /var/log/blumira.log # *.* /var/log/blumira.log;BluFormat # Local Debugging
All that is required at this step is to change the <sensor_ip> to your local Blumira Sensor’s IP.
If you want to test locally, you can uncomment the last line and run the command above it to view logs passing to the Blumira Sensor.
Restart the rsyslog service to start processing incoming data via the new configuration.
sudo /etc/init.d/rsyslog restart
sudo service rsyslog restart
That’s all that’s required to send logs to the Blumira Sensor and Platform, Blumira will ingest all logs within the host, such as system and local authentication via the *.* specification in the above configuration.
Blumira recommends installing fail2ban if SSH is being utilized, even internally, on the host. This further enhances failed auth logs and provides for quick response against brute force.
sudo apt-get install fail2ban
sudo yum install fail2ban
Copy and paste the following content into a new file /etc/fail2ban/jail.local
[DEFAULT] ignoreip = 127.0.0.1/8 ::1 bantime = 3600 findtime = 600 maxretry = 5 [sshd] enabled = true
Then restart the service for your version of *nix.
sudo /etc/init.d/fail2ban restart
sudo service fail2ban restart