Hands-on lab – setting up a basic log server

Setting up the server is identical on Ubuntu and CentOS. There's only one minor difference in setting up the clients. For best results, ensure that the server VM and the client VM each have a different hostname:

  1. On the log-collecting server VM, open the /etc/rsyslog.conf file in your favorite text editor and look for these lines, which are near the top of the file:
# Provides TCP syslog reception
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")
  1. Uncomment the bottom two lines and save the file. The stanza should now look like this:
# Provides TCP syslog reception
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
  1. Restart the rsyslog daemon:
sudo systemctl restart rsyslog
  1. If the machine has an active firewall, open port 514/tcp.
  1. Next, configure the client machines. For Ubuntu, add the following line to the bottom of the /etc/rsyslog.conf file, substituting the IP address of your own server VM:
@@192.168.0.161:514

For CentOS, look for this stanza at the bottom of the /etc/rsyslog.conf file:

# ### sample forwarding rule ###
#action(type="omfwd"  
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp"

Remove the comment symbols from each line that isn't obviously a real comment. Add the IP address and port number for the log server VM. The finished product should look like this:

# ### sample forwarding rule ###
action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
queue.filename="fwdRule1"       # unique name prefix for spool files
queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
queue.saveonshutdown="on"       # save messages to disk on shutdown
queue.type="LinkedList"         # run asynchronously
action.resumeRetryCount="-1"    # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
Target="192.168.0.161" Port="514" Protocol="tcp")
  1. Save the file and then restart the rsyslog daemon.
  2. On the server VM, verify that messages from both the server VM and the client VM are getting sent to the log files. (You can tell by the different hostnames for different messages.)
  3. This is the end of the lab.

As cool as this is, there are still a couple of flaws with the setup. One is that we're using a non-encrypted, plaintext connection to send the log files to the server. Let's fix that.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.15.135.63