matthew/DCO-SOGs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "8 Tools"

Browse Source
This commit is contained in:
Matthew Iverson
2024-10-26 23:59:47 -04:00
parent 79ac3d851e
commit 903d8fde82
10 changed files with 329 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
8 Tools/syslogSOG.md Normal file
View File

@ -0,0 +1,112 @@
[Create Syslog Server Video](https://www.youtube.com/watch?v=Cw-TXDirgcQ&ab_channel=EdGoad)
1. Instal OS
install fedora 40 server
```
dnf update
dnf upgrade
```
2. Configure Log Location
```
mkdir /var/log/syslog
```
3. Open Firewall
```
firewall-cmd --get-default-zone
<ZONE> // This zone is put below
firewall-cmd --zone=<ZONE> --add-port=514/udp --permanent
firewall-cmd --zone=<ZONE> --add-port=514/tcp --permanent
firewall-cmd --reload
```
trouble shooting with fedora firewall-cmd
```
firewall-cmd --get-zones
```
4. Install rsyslog
```
dnf install rsyslog
vi /etc/rsyslog.conf
```
uncomment # in the front of the lines
scroll to bottom of file
```
$template PerHostLog,"/var/log/syslog/%HOSTNAME%.log"
if $fromhost-ip startswith '10.' then -?PerHostLog
& STOP
```
5. Test syslog server
```
cd /opt
wget https://raw.githubusercontent.com/edgoad/syslog-generator/master/syslogGen1.sh
// change SOURCES to what files your range from what you specified above
SOURCES=
// Change DEST_IP to your IP of your syslog server
//uncomment line towards bottom `#echo` to see when script is functioning
```
6. Setup Logrotate
```
cd /etc/logrotate.d/
cp rsyslog syslog
vi syslog
```
```
// add syslog folder to file at the top
/var/log/syslog/*.log
// next add three lines inside the {}
// these lines will be to rotate in a year, expire after a year and create new logs daily for each IP
rotate 365
maxage 366
daily
```
/etc/logrotate.d/syslog file
7. Point remote syslogs to your syslog server
8. Set up splunk universal forwarder on syslog server
[Setup Splunk Universal Forwarder](https://www.youtube.com/watch?v=smyLZ6ataK0&embeds_referring_euri=https%3A%2F%2Fcdn.iframe.ly%2F&source_ve_path=MjM4NTE)
install the 64 tar
```
wget -O splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/linux/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz"
```
```
useradd -m splunkfwd
groupadd splunkfwd
export SPLUNK_HOME="/opt/splunkforwarder"
mkdir $SPLUNK_HOME
```
```
tar xvzf splunkforwarder_package_name.tgz
```
```
chown -R splunkfwd:splunkfwd $SPLUNK_HOME
sudo $SPLUNK_HOME/bin/splunk start --accept-license
$SPLUNK_HOME/bin/splunk add forward-server <IP>:<PORT>
$SPLUNK_HOME/bin/splunk restart
$SPLUNK_HOME/bin/splunk add monitor /var/log/syslog
```