Difference between revisions of "Sumologic Rsyslog Fowarder"

From UVOO Tech Wiki
Jump to navigation Jump to search
 
(2 intermediate revisions by the same user not shown)
Line 108: Line 108:
 
$ModLoad imtcp.so
 
$ModLoad imtcp.so
 
$InputTCPServerRun 514
 
$InputTCPServerRun 514
 +
# Copy to local files by host folder
 
$template DynamicFile,"/var/log/hosts/%HOSTNAME%/%syslogfacility-text%.log"
 
$template DynamicFile,"/var/log/hosts/%HOSTNAME%/%syslogfacility-text%.log"
 
*.*    -?DynamicFile
 
*.*    -?DynamicFile
#
+
 
#
+
 
 
# Setup disk assisted queues# Setup disk assisted queues
 
# Setup disk assisted queues# Setup disk assisted queues
 
$WorkDirectory /var/spool/rsyslog    # where to place spool files
 
$WorkDirectory /var/spool/rsyslog    # where to place spool files
Line 122: Line 123:
  
 
# RsyslogGnuTLS
 
# RsyslogGnuTLS
 +
$InputTCPServerKeepAlive on
 
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/digicert_ca.crt
 
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/digicert_ca.crt
  
Line 144: Line 146:
 
If using LXD
 
If using LXD
 
```
 
```
 +
lxc init ubuntu:20.04 rsyslog
 
lxc network attach lxdbr0 rsyslog eth0 eth0
 
lxc network attach lxdbr0 rsyslog eth0 eth0
 
lxc config device set rsyslog eth0 ipv4.address 172.x.x.x
 
lxc config device set rsyslog eth0 ipv4.address 172.x.x.x
lxc config device remove wjp1-lxd-rsyslog proxyv4 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
+
lxc config device add lxd-rsyslog tcp514 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
lxc config device add wjp1-lxd-rsyslog tcp514 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
+
lxc config device add lxd-rsyslog udp514 proxy nat=true listen=udp:10.x.x.x:514 connect=udp:0.0.0.0:514
 +
lxc start rsyslog
 +
lxc shell rsyslog
 +
logger jtest
 +
```
 +
 
 +
```
 +
logger --udp -n 172.x.x.x "remote test"
 +
echo "test" | nc -v -u -w 0 172.x.x.x 514
 
```
 
```

Latest revision as of 03:36, 18 December 2021

Install rsyslog (usually already installed

Add tls 

sudo apt-get -y install rsyslog-gnutls

Add cert 

 mkdir -p /etc/rsyslog.d/keys/ca.d && curl -L https://www.digicert.com/CACerts/DigiCertHighAssuranceEVRootCA.crt.pem -o /etc/rsyslog.d/keys/ca.d/digicert_ca.crt

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
# module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


# module(load="omelasticsearch")
# template(name="testTemplate"
#          type="list"
#          option.json="on") {
#            constant(value="{")
#              constant(value="\"timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
#              constant(value="\",\"message\":\"")     property(name="msg")
#              constant(value="\",\"host\":\"")        property(name="hostname")
#              constant(value="\",\"severity\":\"")    property(name="syslogseverity-text")
#              constant(value="\",\"facility\":\"")    property(name="syslogfacility-text")
#              constant(value="\",\"syslogtag\":\"")   property(name="syslogtag")
#            constant(value="\"}")
#          }
# action(type="omelasticsearch"
#        server="myserver.local"
#        serverport="9200"
#        template="testTemplate"
#        searchIndex="test-index"
#        searchType="test-type"
#        bulkmode="on"
#        queue.type="linkedlist"
#        queue.size="5000"
#        queue.dequeuebatchsize="300"
#        action.resumeretrycount="-1")


$IncludeConfig /etc/rsyslog.d/*.conf


# Provides UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514
# Copy to local files by host folder
$template DynamicFile,"/var/log/hosts/%HOSTNAME%/%syslogfacility-text%.log"
*.*    -?DynamicFile


# Setup disk assisted queues# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog     # where to place spool files
$ActionQueueFileName fwdRule1         # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g           # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on         # save messages to disk on shutdown
$ActionQueueType LinkedList           # run asynchronously
$ActionResumeRetryCount -1            # infinite retries if host is down


# RsyslogGnuTLS
$InputTCPServerKeepAlive on
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/digicert_ca.crt

template(name="SumoFormat" type="string" string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% <MY TOKEN FROM SYSLOG CLOUD COLLECTOR SOURCE> %msg%\n")

action(type="omfwd"
    protocol="tcp"
    target="syslog.collection.us2.sumologic.com"
    port="6514"
    template="SumoFormat"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="x509/name"
    StreamDriverPermittedPeers="syslog.collection.*.sumologic.com")

systemctl restart rsyslog

If using LXD 

lxc init ubuntu:20.04 rsyslog
lxc network attach lxdbr0 rsyslog eth0 eth0
lxc config device set rsyslog eth0 ipv4.address 172.x.x.x
lxc config device add lxd-rsyslog tcp514 proxy nat=true listen=tcp:10.x.x.x:514 connect=tcp:0.0.0.0:514
lxc config device add lxd-rsyslog udp514 proxy nat=true listen=udp:10.x.x.x:514 connect=udp:0.0.0.0:514
lxc start rsyslog
lxc shell rsyslog
logger jtest

logger --udp -n 172.x.x.x "remote test"
echo "test" | nc -v -u -w 0 172.x.x.x 514
Retrieved from "https://tech.uvoo.io/index.php?title=Sumologic_Rsyslog_Fowarder&oldid=2545"