Collection of system log files off of Linux is an important step in gaining visibility into your environment. This article will explain the how to leverage rsyslog to send logs to the Blumira Sensor.

Generally this writeup should work for all mostly-modern Linux operating systems.  If you have any issues, please contact [email protected] for additional help.

Configuring Linux System Logs

1) Check Rsyslog

Determine the version of rsyslog you’re currently using:

rsyslogd -v

If the command is not found, install rsyslog on your server. This is fairly rare and you may want to check into the up-to-dateness or method of installation used to setup the server.

If you’re using apt repo release, such as Debian or Ubuntu, run the following:

sudo apt-get install rsyslog

If you’re using yum repo release, such as RHEL or CentOS, run the following:

sudo yum install rsyslog

In either case, so long as your Rsyslog version is above 2.x the below setup process should work for your server.

2) Setup Rsyslog

Open or create the new Blumira configuration file for Rsyslog:

sudo vim /etc/rsyslog.d/23-blumira.conf

You can also use nano, emacs, of your preferred text editor.  The file just must be located at /etc/rsyslog.d/23-blumira.conf.

Copy and paste the following content into the file:

# Setup Disk Queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName blumiraRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

# Define BluFormat for parsing
$template BluFormat,"<%pri%> BLUNIX %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"

# Send messages to Blumira Sensor
# Be sure to change <sensor_ip> to your Sensor's IP
*.* @@<sensor_ip>:514;BluFormat

# Run the following if wanting to use local output:
# sudo touch /var/log/blumira.log && sudo chmod 640 /var/log/blumira.log && sudo chown syslog:adm /var/log/blumira.log
# *.* /var/log/blumira.log;BluFormat # Local Debugging

All that is required at this step is to change the <sensor_ip> to your local Blumira Sensor’s IP.

If you want to test locally, you can uncomment the last line and run the command above it to view logs passing to the Blumira Sensor.

3) Restart the Service

Restart the rsyslog service to start processing incoming data via the new configuration.

sudo /etc/init.d/rsyslog restart

or

sudo service rsyslog restart

4) All Set!

That’s all that’s required to send logs to the Blumira Sensor and Platform, Blumira will ingest all logs within the host, such as system and local authentication via the *.* specification in the above configuration.

Additional Tweaks

Fail2Ban

Blumira recommends installing fail2ban if SSH is being utilized, even internally, on the host.  This further enhances failed auth logs and provides for quick response against brute force.

sudo apt-get install fail2ban

or

sudo yum install fail2ban

Copy and paste the following content into a new file /etc/fail2ban/jail.local

[DEFAULT] ignoreip = 127.0.0.1/8 ::1
bantime = 3600
findtime = 600
maxretry = 5
[sshd] enabled = true

Then restart the service for your version of *nix.

sudo /etc/init.d/fail2ban restart

or

sudo service fail2ban restart