Analyzing syslogs generated by the Linux/Unix systems and other network devices is one of the important activities of a security admin. To perform this efficiently, admins often centralize the syslog collection. This document elaborates the steps to configure a CentOS system as a centralized rsyslog collection server.
$ systemctl status rsyslog
$ sudo yum install rsyslog.
To receive syslogs from other devices over UDP and TCP protocol, you need to uncomment the appropriate lines in /etc/rsyslog.conf to enable TCP and UDP connections,
module(load="imudp") #needs to be done just once
module(load="imtcp") #needs to be done just once
Note: Port 514 is the default port of UDP and TCP. At anytime, you can change this port number.
Save the configuration and exit.
$ sudo firewall-cmd --add-port=514/tcp --zone=public --permanent
$ sudo firewall-cmd --reload
$ sudo netstat -pnltu
You have successfully configured the centralized Syslog collection server that runs on CentOS. To view the logs collected in real time, run the following command in your rsyslog server:
$ tail -f var/log/messages.
It is essential to monitor syslog files as they can provide valuable insights about network activities. They can provide all information on any event, like the IP involved, the timestamp of the event, the activity carried out and critical changes made to any system. Manually monitoring rsyslog files can be tedious and ineffective in terms of analyzing the syslogs. Monitoring the rsyslog files using a log management solution can provide in-depth analysis of your logs.
EventLog Analyzer, an effective log management solution, can collect, parse, index and analyze the voluminous rsyslog data and generate intuitive reports. Any malicious activity will be flagged as a threat and a real-time alert can be raised via SMS/email to notify IT security admins of an impending attack.
Zoho Corporation Pvt. Ltd. All rights reserved.