Sending Linux system log (syslogd) events to a remote server.
Procedure
- Open a command window.
Note: The Shell window can only be launched when the EA3 user is included in the authorized EA3 group. Users not in this EA3 group will not have access to launch the Shell window. If you are not logged on as the proper logon user, log out and then log back on as the correct EA3 user with the authorized permissions.
- Switch to the root user. Run the
su - command. - Activate remote system logging. Run the
rsyslogclient -s 1.2.3.4 command, replacing 1.2.3.4 with the remote system address:
Note: This configuration script defaults to send logs to the TCP server on port 514. To see other options rsyslogclient -h.
- If a Linux rsyslog server is not configured, add the following lines to the receiving system /etc/rsyslog.conf:
$ModLoad imtcp
$InputTCPServerRun 514
$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
*.* ?FILENAME
The following command can be executed as root on the system intended to receive the logs files:
grep -iE '^\$.*...ServerRun' /etc/rsyslog.conf || echo -e '$ModLoad imtcp\n$InputTCPServerRun 514\n$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"\n*.* ?FILENAME' >> /etc/rsyslog.confNote: If a port other than 514 is used for remote syslog, a corresponding modification to the firewall rule configuration is required. The firewall is configured by default to allow only certain outbound destination ports.
The file to modify is /usr/share/gehc_security/pnf/modality.sh. It contains instructions and standard iptables commands. Specific to syslog, modify the following lines in that file.
# Below for remote syslog
$IPTABLES -A OUTPUT -p udp -m udp --dport 514 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 514 -j ACCEPT
