====Install OS and Packages=====

  * Install CentOS 8 minimal with a network card for each LAN/VLAN, set static IPs, have 100GB space available; 1-2GB RAM is fine for smaller networks (example PFSense and Untangle sending syslog on 120 user network used only 100MB RAM).
  * Install/enable epel repo <code>sudo dnf install epel-release</code>
  * Install syslog-ng and vim (cause you know it's da BEST!) <code>sudo dnf install syslog-ng vim logrotate bzip2</code>
  * Enable and start syslog-ng <code>sudo systemctl enable syslog-ng && sudo systemctl start syslog-ng</code>
  * Disable the gateway on all but one of your ifcfg-ethX devices, probably leave the one that can route to multiple networks with the gateway enabled (e.g a management LAN will typically only be accessible by and have access to a single subnet so no routing is needed).

https://github.com/syslog-ng/syslog-ng/issues/2667 \\
You may need to fix syslog-ng's systemd service file as it fails to start after a reboot because the network isn't ready.
<code>
sudo vim /usr/lib/systemd/system/syslog-ng.service
</code>
Add the following under [Unit]
<code>
Wants=network.target network-online.target
After=network.target network-online.target
</code>
Reload the deamon
<code>
sudo systemctl daemon-reload
</code>


====Configure syslog-ng to receive logs====
https://www.linuxjournal.com/content/creating-centralized-syslog-server \\
https://community.spiceworks.com/topic/2084362-syslog-ng-for-multiple-sources \\
https://www.rfaircloth.com/tags/syslog-ng/ \\
https://lists.balabit.hu/pipermail/syslog-ng/2014-March/021290.html \\
http://monitoringartist.github.io/community.zenoss.org/message/48987.html

  * Edit syslog-ng config file <code> sudo vim /etc/syslog-ng/conf.d/remote.devices.conf</code>
  * Add the content below (I prefer TCP since I want to make sure I have all logs files where UDP could miss a few). This accepts tcp/udp on the default ports and uses filters to output to different logs files based on hostname/ip address (note: some devices send IP address for some data and their hostname for other, PFSense has done this so I like both variables included).There is also a filter that will exclude all other filtered hosts so that any unknown items will get logged to the unknown log...<code>
### Accept connections from tcp/upd
source s_network_a {
    udp(ip(0.0.0.0) port(514));
    tcp(ip(0.0.0.0) port(514) max-connections(5000));
};


### Filters to separate logs by ip/host and a filter to catch all that don't match
filter f_ht49_langw_haddentech_com { netmask("172.21.49.1/32"); or host("ht49-langw.haddentech.com"); };
filter f_ht49_wangw_haddentech_com { netmask("172.21.49.2/32"); or host("ht49-wangw.haddentech.com"); };
filter f_unknown { not ( netmask("172.21.49.1/32") or netmask("172.21.49.2/32") or host("ht49-langw.haddentech.com") or host("ht49-wangw.haddentech.com") ); };

### Destinations for to keep a local copy and send them on further. Note the SIEM/OSSIM destination has spoof_source(yes) otherwise the SIEM will log it under the syslog servers IP.
destination d_ossim { udp("172.18.18.40" spoof_source(yes)); };
destination d_ht49_langw_haddentech_com { file("/var/log/remote/ht49-langw.haddentech.com.log"); };
destination d_ht49_wangw_haddentech_com { file("/var/log/remote/ht49-wangw.haddentech.com.log"); };
destination d_unknown { file("/var/log/remote/unknown.log"); };

### And it all comes together...
log { source(s_network_a); filter(f_ht49_langw_haddentech_com); destination(d_ht49_langw_haddentech_com); destination(d_ossim); };
log { source(s_network_a); filter(f_ht49_wangw_haddentech_com); destination(d_ht49_wangw_haddentech_com); destination(d_ossim); };
log { source(s_network_a); filter(f_unknown); destination(d_unknown); destination(d_ossim); };

</code>

  * Add the remote folder to /var/log <code>sudo mkdir /var/log/remote</code>
  * Restart syslog-ng <code>sudo systemctl restart syslog-ng</code>
  * Add firewall rule to allow log traffic in and reload firewalld <code>
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --reload
</code>

====SELinux Steps====
If you need to use non-standard ports or need to troubleshoot or use semanage to make a rule here is an example of what to do:
<code>
sudo dnf install policycoreutils-python
sudo semanage port -a -t syslogd_port_t -p tcp 8100
sudo semanage port -a -t syslogd_port_t -p udp 8100
sudo semanage fcontext -a -t var_log_t /var/splunk-syslog
sudo restorecon -v '/var/splunk-syslog'
sudo logger -d -P 8100 -n 127.0.0.1 -p 1 "test2"
sudo cd /root
sudo mkdir selinux
sudo cd selinux
sudo audit2allow -M syslog-ng-modified -l -i /var/log/audit/audit.log
#verify the file does not contain anything no related to syslog
sudo vim syslog-ng-modified.te
sudo semodule -i syslog-ng-modified.pp
</code>

====Logrotate====
http://danielsokolowski.blogspot.com/2012/09/maximum-logrotate-compression-with-bzip2.html

  * Create logrotate configuration <code>sudo vim /etc/logrotate.d/remote</code>
  * Add the following to enable bzip2 compression since I plan on holding onto logs for 390 days, rotate 900 is so that if logs get big and are rotated more than once a day I'll still have them for over a year... <code>
/var/log/remote/*.log {
    daily
    create 0644 root root
    rotate 900
    maxage 395
    maxsize 100M
    dateext
    dateformat -%Y-%m-%d_%s
    notifempty
    compress
    compresscmd /bin/bzip2
    uncompresscmd /bin/bunzip2
    compressoptions -9
    compressext .bz2
    copytruncate
}
</code>
Note: Logrotate runs once daily by default, if your logs are getting too big before days end then you'll want to increase the frequency that logrotate runs.