Sending Specific Log File to Rsyslog Server
Kali Linux Client: 192.168.0.139
Rocky Linux + Cacti + Rsyslog Server: 192.168.0.6
Port: 514
Using TCP = @, UDP = @@.
Log File to Be Sent from the Client to Rsyslog: 192.168.0.139 /var/webmin/miniserv.log
!! MAKE SURE THE FIREWALL ALLOWS 514/TCP AND 514/UDP !!
Configuration on the Client Side:
- Open the Rsyslog Configuration File on the Client Side: Open the rsyslog configuration file on the client machine. The rsyslog configuration file is typically located in
/etc/rsyslog.confor in the/etc/rsyslog.d/directory. sudo nano /etc/rsyslog.conf - Add Configuration Rules: Add the following configuration rules to send logs from
/var/webmin/miniserv.logto the syslog server with IP address192.168.0.6on port514using the UDP protocol:
$ModLoad imfile
$InputFileName /var/webmin/miniserv.log
$InputFileTag webmin:
$InputFileStateFile webmin-statefile
$InputFileFacility local7
$InputRunFileMonitor
local7.* @192.168.0.6:514In the rules above:
$ModLoad imfileloads theimfilemodule, which is necessary for monitoring log files.$InputFileNameis the location of the log file to monitor.$InputFileTagis the tag to be added to the sent logs.$InputFileStateFileis the state file for monitoring.$InputFileFacilityis the facility specified for the logs. Here, we use "local7" as an example.$InputRunFileMonitoractivates file monitoring.
Next, local7.* @192.168.0.6:514 is a rule to send logs with facility "local7" to the syslog server with IP address 192.168.0.6 on port 514 using the UDP protocol.
- Save and Exit: If you’re using the
nanoeditor, pressCtrl+Oto save the changes, thenCtrl+Xto exit. - Restart Rsyslog: After saving the configuration, restart the rsyslog service on the client side to apply the changes.
sudo systemctl restart rsyslog
With this configuration, logs from the /var/webmin/miniserv.log file on the rsyslog client machine will be sent to the syslog server at IP address 192.168.0.6 with facility "local7." Make sure the syslog server at that IP address is configured to receive logs from "local7."
Configuration on the Server Side:
- Configure the file in
/etc/rsyslog.confby usingnano /etc/rsyslog.conf - Add the following syntax at the bottom of the file:
$ModLoad imudp
$UDPServerRun 514
:fromhost-ip,isequal,"192.168.0.139" /var/log/server/rstoptiplex.log$ModLoad imudp: This line loads theimudpmodule. This module is used to receive logs via the UDP protocol. In other words, rsyslog will listen to log traffic sent via UDP.$UDPServerRun 514: This line configures rsyslog to run a UDP receiver service on port 514. Port 514 is the standard port often used to receive logs via the UDP protocol. Rsyslog will listen to incoming traffic on this UDP port.:fromhost-ip,isequal,"192.168.0.139" /var/log/server/rstoptiplex.log: This is a log filtering rule. It means that rsyslog will only write logs that originate from the host with IP address192.168.0.139to the log file/var/log/server/rstoptiplex.log. So, if any logs come from a host with this IP address, they will be saved in the specified log file.
This configuration as a whole allows rsyslog to receive logs via UDP, then filter logs originating from a specific host (192.168.0.139) and write them to the log file /var/log/server/rstoptiplex.log. This configuration is useful when you want to collect logs from a specific host and store them in a separate log file for further analysis or monitoring.
Result
Reference from chatgpt :)
