" If possible, have all of your devices log to a centralized syslog server. This centralized server can store logs in a flat log file format and then forward logs over to the Graylog2 servers."
but nobody tells, how to create centralized Syslog server which then forwards logs to Graylog. Maybe it is mention very easy. Yup it's easy when you know what to do. So to reduce number of servers it was decided to keep both logs on one server, Syslog centralized and Graylog centralized. After some investigation I found, that every syslog input reflects on syslog file to so why invent bycicle when it is already invented.I have graylog2 ova already installed, it is using port 514 for monitoring, so I decided to use port 5514 to send all logs to Rsyslog server, and then forward to the Graylog server. https://packages.graylog2.org/appliances/ova great server, great documentation!
Receive log files to Rsyslog and forward further to Graylog
In file /etc/rsyslog.conf uncomment and modifysudo nano /etc/rsyslog.conf
#provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 5514
*.* @localhost:514
You can type instead of localhost other server name like *.* @192.168.101.112:514
Close and save file (Type Ctrl-X and then type Y)
Keeping log files safe
Then you can just rename un copy gz files somewhere else, in my case ss log files grows big, it was decided to zip them with 7 zip, because they will be analyzed later on Windows machine.sudo apt-get install p7zip
touch /etc/cron.daily/movesyslog1.sh
To create 7z archive instead of gz file
sudo nano /etc/cron.daily/movesyslog1.sh
bfile=syslog-$(date --date="1 days ago" +"%Y%m%d").log
mv /var/log/syslog.1 /some/disk/$bfile
p7zip /var/log/$bfile
Where /some/place is mentioned disk where you want to keep your log files.
With mv you can move files whenever you want
Script replaces syslog.1 file with sylog-date.log.7z
It is possible to use builtin syslog rotation to keep n files, but due to the lack of documentation about syslog rotation for me it was more easy to write my own script. As you noticed files is just written, then if you decide to remove files after some time. For example to remove log files older than 6 month add these to the end of file movesyslog1.sh
rfile=syslog-$(date --date="180 days ago" +"%Y%m%d").log.7z
rm -rf /some/disk/$rfile
Write script in cron
Crontab -e
This line will execute shell script every morning at 6:16 AM.
16 6 * * * /etc/cron.daily/movesyslog1.sh
Send log files from Ubuntu to Windows hidden share
I assume you have created share syslog$ on server STORE.
before that script you have to install cifs
sudo apt-get install cifs-utilsmy script to save on remote windows server will look like this
pass=s@me#weird$ymbols
mount -t cifs -o domain=domainname,username=Syslog,password=$pass //STORE.domainname.local/syslog\$ /mnt/storage
bfile=syslog-$(date --date="1 days ago" +"%Y%m%d").log
cp /var/log/syslog.1 /var/log/$bfile
p7zip /var/log/$bfile
cp /var/log/$bfile.7z /mnt/storage/
umount /mnt/storage
rm -rf /var/log/$bfile.7z
In this case local syslog files stays intact
Secure graylog to use port 443 and sha2 certificate
cd /opt/graylog/conf/nginx/ca
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout key.pem -out cert.pem
Fill required parameters of certificate. Place certificate in place of autogenerated one.
mv cert.pem graylog.crt
mv key.pem graylog.key
graylog-ctl require-ssl
graylog-ctl reconfigure
Nav komentāru:
Ierakstīt komentāru