tech_documents:security:syslog-ng_centos7

Install OS and Packages

  • Install CentOS 7 minimal with 2 network cards (for different LANs/VLANs), set static IPs, have 100GB space available; 1-2GB RAM is fine for smaller networks (example PFSense and Untangle sending syslog on 120 user network used only 100MB RAM).
  • Uninstall rsyslog 
    yum remove rsyslog
  • Install/enable epel repo 
    yum install epel-release
  • Install syslog-ng and vim (cause you know it's da BEST!) 
    yum install syslog-ng vim logrotate bzip2
  • Enable and start syslog-ng 
    systemctl enable syslog-ng && systemctl start syslog-ng
  • Disable the gateway on all but one of your ifcfg-ethX devices, probably leave the one that can route to multiple networks with the gateway enabled (e.g a management LAN will typically only be accessible by and have access to a single subnet so no routing is needed).

Configure syslog-ng to receive logs

https://www.linuxjournal.com/content/creating-centralized-syslog-server
https://community.spiceworks.com/topic/2084362-syslog-ng-for-multiple-sources
https://www.rfaircloth.com/tags/syslog-ng/
https://lists.balabit.hu/pipermail/syslog-ng/2014-March/021290.html
http://monitoringartist.github.io/community.zenoss.org/message/48987.html

  • Edit syslog-ng config file 
    vim /etc/syslog-ng/conf.d/remote.devices.conf
  • Add the content below (I prefer TCP since I want to make sure I have all logs files where UDP could miss a few). This accepts tcp/udp on the default ports and uses filters to output to different logs files based on hostname/ip address (note: some devices send IP address for some data and their hostname for other, PFSense has done this so I like both variables included).There is also a filter that will exclude all other filtered hosts so that any unknown items will get logged to the unknown log…
    ### Accept connections from tcp/upd
source s_network_a {tcp(max-connections(5000)); udp (); };

### Filters to separate logs by ip/host and a filter to catch all that don't match
filter f_bredband_webermotors_local { netmask("10.222.190.229/32"); or host("bredband.webermotors.local"); };
filter f_gw01_nytnetwork_com { netmask("172.18.18.1/32"); or host("gw01.nytnetwork.com"); };
filter f_unknown { not ( netmask("10.222.190.229/32") or netmask("172.18.18.1/32") or host("gw01.nytnetwork.com") ); };

### Destinations for to keep a local copy and send them on further. Note the SIEM/OSSIM destination has spoof_source(yes) otherwise the SIEM will log it under the syslog servers IP.
destination d_ossim { udp("172.18.18.40" spoof_source(yes)); };
destination d_bredband_webermotors_local { file("/var/log/remote/bredband.webermotors.local.log"); };
destination d_gw01_nytnetwork_com { file("/var/log/remote/gw01.nytnetwork.com.log"); };
destination d_unknown { file("/var/log/remote/unknown.log"); };

### And it all comes together...
log { source(s_network_a); filter(f_bredband_webermotors_local); destination(d_bredband_webermotors_local); destination(d_ossim); };
log { source(s_network_a); filter(f_gw01_nytnetwork_com); destination(d_gw01_nytnetwork_com); };
log { source(s_network_a); filter(f_unknown); destination(d_unknown); };
  • Add the remote folder to /var/log 
    mkdir /var/log/remote
  • Restart syslog-ng 
    systemctl restart syslog-ng
  • Add firewall rule to allow log traffic in and reload firewalld 
    firewall-cmd --add-port=514/tcp
firewall-cmd --add-port=514/udp
firewall-cmd --reload

SELinux Steps

If you need to use non-standard ports or need to troubleshoot or use semanage to make a rule here is an example of what to do: 

yum install policycoreutils-python
semanage port -a -t syslogd_port_t -p tcp 8100
semanage port -a -t syslogd_port_t -p udp 8100
semanage fcontext -a -t var_log_t /var/splunk-syslog
restorecon -v '/var/splunk-syslog'
logger -d -P 8100 -n 127.0.0.1 -p 1 "test2"
cd /root
mkdir selinux
cd selinux
audit2allow -M syslog-ng-modified -l -i /var/log/audit/audit.log
#verify the file does not contain anything no related to syslog
vim syslog-ng-modified.te
semodule -i syslog-ng-modified.pp

Logrotate

http://danielsokolowski.blogspot.com/2012/09/maximum-logrotate-compression-with-bzip2.html

  • Edit logrotate configuration 
    vim /etc/logrotate.conf
  • Add the following to enable bzip2 compression since I plan on holding onto logs for 75 weeks… 
    # uncomment this if you want your log files compressed
compress
#
# use bzip2 whith higher compression than gzip
compresscmd /bin/bzip2
uncompresscmd /bin/bunzip2
compressoptions -9
compressext .bz2
  • Change the follow options to keep logs longer and make them more available before compression 
    # rotate log files weekly
weekly

# keep 75 weeks worth of backlogs
rotate 75
  • tech_documents/security/syslog-ng_centos7.txt
  • Last modified: 2022/01/12 06:07
  • by jacob.hydeman