Part 1: How to build a generic Linux Rsyslog Server on Ubuntu

Part 1: How to build a generic Linux Rsyslog Server on Ubuntu

Why would you EVER what to do this? Well, sometimes you may need to ingest syslog event data from other sources into a central location. I’ll talk more too this need in the video. Enjoy!

In Part 2 (coming soon) we will talk about how to get those newly centralized logs on your Ubuntu Rsyslog server ingested into an upstream Sumo Logic Cloud SIEM. Stay tuned!

Oh, and questions, email me! timl@checkpoint.com

1. Intro–why does this matter? 00:00 to 02:07.
2. Ubuntu in Azure and NSG config, 02:08 to 03:32.
3. Install packages on Ubuntu Server, 03:33 to 05:12.
4. Edit /etc/rsyslog.d/rsyslog.conf, 05:13 to 07:07.
5. Install TLS and create TLS.conf, 07:08 to 8:50.
6. Use openssl to create keys, 8:51 to 12:06.
7. Get certificate (to be signed) from the Infinity Portal, 12:07 to 14:02
8. Sign Infinity Portal certificate on Ubuntu with openssl, 14:03 to 14:45
9. Upload signed cert and pem file to the Infinity Portal and complete connection, 14:46 to 20:09.
10. Part 2 coming soon! 20:10.

13
Like
Save


Comments

@timlloyd22 says:

Ubuntu commands and what not:
○ Update Server: sudo apt-get update && sudo apt-get upgrade

○ sudo reboot

○ Install ntp: sudo apt update -y && sudo apt install ntp && sudo apt install ntpdate: https://www.tecmint.com/install-ntp-server-and-client-on-ubuntu/

§ sudo apt install ntp

○ Install tcpdump: sudo apt-get update && sudo apt-get install tcpdump

○ Install netstat: https://www.cyberithub.com/how-to-install-netstat-on-ubuntu-20-04-lts-focal-fossa/

§ sudo apt install net-tools

○ Install openssl: https://linuxgenie.net/install-openssl-on-ubuntu-22-04/

§ sudo apt install openssl -y

○ Install rsyslog: https://kifarunix.com/install-and-setup-rsyslog-server-on-ubuntu/?expand_article=1

§ sudo apt install rsyslog -y

§ To enable persistence after reboot: sudo systemctl enable rsyslog

§ Rsyslog commands

□ systemctl restart rsyslog

□ systemctl status rsyslog

□ sudo ss -4altunp | grep 6514

§ Add to rsyslog.conf for log file location:

□ $template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%/%PROGRAMNAME%.log"

. ?RemInputLogs

○ Load / configure TLS for rsyslog: https://michlstechblog.info/blog/rsyslog-configure-tls-ssl/

§ First install TLS support: sudo apt install rsyslog-gnutls

§ Create Certs:

□ openssl genrsa -out ca-ubuntu.key 2048

□ openssl req -x509 -new -nodes -key ca-ubuntu.key -sha256 -days 825 -out ca-ubuntu.pem

□ openssl genrsa -out server-ubuntu.key 2048

□ openssl req -new -key server-ubuntu.key -out server-ubuntu.csr

□ openssl x509 -req -in server-ubuntu.csr -CA ca-ubuntu.pem -CAkey ca-ubuntu.key -CAcreateserial -out server-ubuntu.crt -days 825 -sha256

§ Create tls.conf

□ DefaultNetstreamDriverCAFile="/etc/cert/ca-ubuntu.pem"

□ DefaultNetstreamDriverCertFile="/etc/cert/ca-ubuntu.pem"

□ DefaultNetstreamDriverCAFile="/etc/cert/ca-ubuntu.key"

○ When you need to modify file / directory permissions for the /etc/cert pem and key files: https://www.wikihow.com/Change-File-Permissions-in-Linux-from-the-Terminal

§ To get key and pem files to -rw-r–r–(644): sudo chmod 644 ca-ubuntu.key

§ To get /var/log/remotelogs to rwxr-xr-x (755): sudo chmod 755 remotelogs

○ Setup router with custom rule to pass TCP on 6514

○ Setup CP FW with rule to accept TCP on 6514

○ Setup CP FW with NAT to fwd to traffic to Ubuntu server

○ Create Infinity Portal Destination:

Sign Portal Client side cert: openssl x509 -req -in Certificate.csr -CA ca-ubuntu.pem -CAkey ca-ubuntu.key -CAcreateserial -out Certificate.crt -days 825 -sha256

Comments are disabled for this post.