[Create Syslog Server Video](https://www.youtube.com/watch?v=Cw-TXDirgcQ&ab_channel=EdGoad)

1. Instal OS
install fedora 40 server

```
dnf update
dnf upgrade
```

2. Configure Log Location

```
mkdir /var/log/syslog
```

3. Open Firewall

```
firewall-cmd --get-default-zone
<ZONE> // This zone is put below
firewall-cmd --zone=<ZONE> --add-port=514/udp --permanent
firewall-cmd --zone=<ZONE> --add-port=514/tcp --permanent
firewall-cmd --reload
```

trouble shooting with fedora firewall-cmd

```
firewall-cmd --get-zones
```

4. Install rsyslog

```
dnf install rsyslog
vi /etc/rsyslog.conf
```

uncomment # in the front of the lines


scroll to bottom of file

```
$template PerHostLog,"/var/log/syslog/%HOSTNAME%.log"
if $fromhost-ip startswith '10.' then -?PerHostLog
& STOP
```

5. Test syslog server

```
cd /opt
wget https://raw.githubusercontent.com/edgoad/syslog-generator/master/syslogGen1.sh
// change SOURCES to what files your range from what you specified above
SOURCES=
// Change DEST_IP to your IP of your syslog server
//uncomment line towards bottom `#echo` to see when script is functioning
```

6. Setup Logrotate

```
cd /etc/logrotate.d/
cp rsyslog syslog
vi syslog
```

```
// add syslog folder to file at the top
/var/log/syslog/*.log

// next add three lines inside the {}
// these lines will be to rotate in a year, expire after a year and create new logs daily for each IP
    rotate 365
    maxage 366
    daily
```

/etc/logrotate.d/syslog file

7. Point remote syslogs to your syslog server

8. Set up splunk universal forwarder on syslog server

[Setup Splunk Universal Forwarder](https://www.youtube.com/watch?v=smyLZ6ataK0&embeds_referring_euri=https%3A%2F%2Fcdn.iframe.ly%2F&source_ve_path=MjM4NTE)

install the 64 tar

```
wget -O splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/linux/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz"
```

```
useradd -m splunkfwd
groupadd splunkfwd
export SPLUNK_HOME="/opt/splunkforwarder"
mkdir $SPLUNK_HOME
```

```
tar xvzf splunkforwarder_package_name.tgz
```

```
chown -R splunkfwd:splunkfwd $SPLUNK_HOME
sudo $SPLUNK_HOME/bin/splunk start --accept-license
$SPLUNK_HOME/bin/splunk add forward-server <IP>:<PORT>
$SPLUNK_HOME/bin/splunk restart
$SPLUNK_HOME/bin/splunk add monitor /var/log/syslog
```