Syslog Logging

Syslog is a protocol that devices often use to transport or send events, such as log data, to a central location. You can learn more about syslog here: https://datatracker.ietf.org/doc/html/rfc5424

This topic details how to send logs to a Rapid7 Collector from a Linux host using common syslog applications, syslog-ng and rsyslog. When you configure either of these tools, you must use a transport protocol such as TCP or UDP to send logs to a Rapid7 Collector. While this topic provides the basic steps to configure the tools to send logs to a Rapid7 Collector, there are many variations of these tools. Refer to the specific documentation for your Linux operating system for more information.

You also have the option to use secure syslog, which encrypts the logs.

In addition to secure syslog logging, there are other types you can use to send data:

Configure Syslog-ng for the Collector

Syslog-ng is an extension of the basic syslog protocol and is an open source code. View the syslog-ng technical documentation at: https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition/

Read more about syslog-ng at: https://www.syslog-ng.com/

Several steps in the following instructions mention the "superuser" permission. You must have superuser permissions to install syslog-ng, however you can configure and run syslog-ng as a regular user by referring to the syslog documentation at: https://www.syslog-ng.com/syslog-ng-faq/

To configure syslog-ng for the Collector:

  1. As a superuser, stop syslog-ng if it is running by using this command: systemctl stop syslog-ng
  2. As a superuser, edit the file etc/syslog-ng/syslog-ng.conf
  3. Replace the example provided with either the TCP or UDP configuration sample, depending on which protocol you’re using.
  4. Update the syslog or network line with your Collector’s IP address, or if you are using an internal DNS, use the hostname/FQDN.
  5. Update the port with the port that your Collector uses to listen for syslog events.
  6. Set the version number in the line @Version: to your syslog-ng version number.
    • To obtain the version number, run this command: /opt/syslog-ng/sbin/syslog-ng --version
  7. As a superuser, start syslog-ng by using this command: systemctl start syslog-ng

Configure rsyslog for the Collector

rsyslog, or "rocket-fast system for log processing," is an open source project with the goal of building a faster and more flexible syslog implementation. Read more about rsyslog here: https://www.rsyslog.com.

Some systems require that you configure rsyslog to send logs directly to the InsightIDR collector.

To send logs directly to the collector:

  1. As superuser, edit the file /etc/rsyslog.conf
  2. If you want to send logs using TCP, add the following line to the end of the file:
1
# Send logs to the InsightIDR Collector
2
*.* @@Collector IP:Port
  1. If you want to send logs using UDP, add the following line to the end of the file:
1
# Send logs to the InsightIDR Collector
2
*.* @Collector IP:Port
  1. In a terminal window, restart rsyslog with the following command: > sudo service rsyslog restart

Secure Syslog

Almost every event source supports Listen on Network Port as a collection method. This configuration allows you to forward log events from your event source to your Collector on a unique port, just as you would with a syslog server over a predefined port.

For any event sources that receive data over syslog, you can choose to configure Secure Syslog, which sends encrypted data using TLS (Transport Layer Security) over the TLS protocol on versions 1.1, and 1.2, as well as TCP.

Syslog-ng Configuration Files

Use one of these configuration files to match the machine location and port that the Collector's event source is running on in your environment.

TCP configuration file

1
# A simple client syslog-ng.conf
2
# Ref:- https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/11#TOPIC-1209106
3
# NOTE: Change version to version installed - VERY IMPORTANT
4
5
@version: <<VERSION INSTALLED>>
6
@include "scl.conf"
7
source s_local {
8
system();
9
internal();
10
};
11
12
13
# RFC5424 IETF-syslog over TCP (port is optional 601 is default)
14
destination d_collector {
15
syslog("192.168.1.1"
16
transport("tcp")
17
port(2010));
18
};
19
log {
20
source(s_local);
21
destination(d_collector);
22
};

UDP configuration file

1
# A simple client syslog-ng.conf
2
# Ref:- https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.22/administration-guide/11#TOPIC-1209106
3
# NOTE: Change version to version installed - VERY IMPORTANT
4
5
@version: <<VERSION INSTALLED>>
6
@include "scl.conf"
7
source s_local {
8
system();
9
internal();
10
};
11
12
# RFC3164 BSD-syslog over UDP (port is optional 512 is default)
13
#destination d_collector {
14
network("92.168.1.1"
15
transport("udp")
16
port (512));
17
};
18
19
log {
20
source(s_local);
21
destination(d_collector);
22
};