2.3 KiB
2.3 KiB
- Instal OS install fedora 40 server
dnf update
dnf upgrade
- Configure Log Location
mkdir /var/log/syslog
- Open Firewall
firewall-cmd --get-default-zone
<ZONE> // This zone is put below
firewall-cmd --zone=<ZONE> --add-port=514/udp --permanent
firewall-cmd --zone=<ZONE> --add-port=514/tcp --permanent
firewall-cmd --reload
trouble shooting with fedora firewall-cmd
firewall-cmd --get-zones
- Install rsyslog
dnf install rsyslog
vi /etc/rsyslog.conf
uncomment # in the front of the lines
scroll to bottom of file
$template PerHostLog,"/var/log/syslog/%HOSTNAME%.log"
if $fromhost-ip startswith '10.' then -?PerHostLog
& STOP
- Test syslog server
cd /opt
wget https://raw.githubusercontent.com/edgoad/syslog-generator/master/syslogGen1.sh
// change SOURCES to what files your range from what you specified above
SOURCES=
// Change DEST_IP to your IP of your syslog server
//uncomment line towards bottom `#echo` to see when script is functioning
- Setup Logrotate
cd /etc/logrotate.d/
cp rsyslog syslog
vi syslog
// add syslog folder to file at the top
/var/log/syslog/*.log
// next add three lines inside the {}
// these lines will be to rotate in a year, expire after a year and create new logs daily for each IP
rotate 365
maxage 366
daily
/etc/logrotate.d/syslog file
-
Point remote syslogs to your syslog server
-
Set up splunk universal forwarder on syslog server
Setup Splunk Universal Forwarder
install the 64 tar
wget -O splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz "https://download.splunk.com/products/universalforwarder/releases/9.2.1/linux/splunkforwarder-9.2.1-78803f08aabb-Linux-x86_64.tgz"
useradd -m splunkfwd
groupadd splunkfwd
export SPLUNK_HOME="/opt/splunkforwarder"
mkdir $SPLUNK_HOME
tar xvzf splunkforwarder_package_name.tgz
chown -R splunkfwd:splunkfwd $SPLUNK_HOME
sudo $SPLUNK_HOME/bin/splunk start --accept-license
$SPLUNK_HOME/bin/splunk add forward-server <IP>:<PORT>
$SPLUNK_HOME/bin/splunk restart
$SPLUNK_HOME/bin/splunk add monitor /var/log/syslog