I encountered a problem while doing remote logging with syslog on ClearOS. Here are some things that I have done on ClearOS:
- Enabling syslog UDP on /etc/rsyslog.conf
$ ModLoad imudp
$ UDPServerRun 514
- Add a remote host to syslog at /etc/rsyslog.conf
*. * @ 10.10.11.160: 514
- Allow connections from port 514 with the UDP protocol on Network> Firewall> Incoming Firewall
Here is the thing that I have done on the Monitoring Station (in this case I use SPLUNK with IP Address 10.10.11.160)
- Add 'input data' from port 514
I want to get logs from ClearOS to be sent to SPLUNK especially snort log. In Reports> Log Viewer> Logfile> snort / syslog, I get the attack information normally. But when I see it through SPLUNK the results are as below.
Can anyone help me?
- Enabling syslog UDP on /etc/rsyslog.conf
$ ModLoad imudp
$ UDPServerRun 514
- Add a remote host to syslog at /etc/rsyslog.conf
*. * @ 10.10.11.160: 514
- Allow connections from port 514 with the UDP protocol on Network> Firewall> Incoming Firewall
Here is the thing that I have done on the Monitoring Station (in this case I use SPLUNK with IP Address 10.10.11.160)
- Add 'input data' from port 514
I want to get logs from ClearOS to be sent to SPLUNK especially snort log. In Reports> Log Viewer> Logfile> snort / syslog, I get the attack information normally. But when I see it through SPLUNK the results are as below.
Can anyone help me?
Attachments:
In Log Viewer
Share this post:
Responses (4)
-
Accepted Answer
Alphabetically the file should come before snort.conf. I put my custom configs in a file /etc/rsyslog.d/_messages-filter.conf, so it is always first.
The programname is the process name before the process number in the [] in the logs, so if the log says:
the progremname would be netifyd.May 31 06:56:20 server netifyd[31169]: nd-conntrack: [U:3005156800] Digest not found in flow map.
Apache conf files are under /etc/http.d/, mainly in /etc/http.d/conf.d. The conf file you found is for the webconfig. -
Accepted Answer
Thank you for the reply. I want to ask about '$ programname', what program is meant there? I learned that all configuration files are obtained from /etc/rsyslog.d/*.conf, do you mean that I have to create a new .conf file that contains this code?
if $ programname == 'snort' then @ 10.10.11.160: 514
And again, how do I make it possible to fire before any other snort filter?
Besides, where is httpd.conf on clearOS used to send Apache and Nginx logs to a remote log server? I found it in /usr/clearos/sandbox/etc/httpd/conf/httpd.conf. Is it correct?
Sorry for asking too many questions. Once again, thank you very much for your response -
Accepted Answer
Looking at https://www.tecmint.com/setup-rsyslog-client-to-send-logs-to-rsyslog-server-in-centos-7/, I suspect you are forwarding everything to your logging server. Somehow you need to filter it. Would a line like:
work? I would put it in a separate conf file in /etc/rsyslog.d, and it may need to fire before any other snort filter there.if $programname == 'snort' then @10.10.11.160: 514 -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »