Before proceeding with the installation and configuration, ensure that you have:
Installation and Configuration of rsyslog
Rsyslog is the standard logging daemon for Linux systems that supports RELP.
-
Installing rsyslog
Install rsyslog on both servers using the following command:
sudo yum install rsyslog rsyslog-relp
-
Configuring rsyslog on the log collecting server (Server A)
Edit the rsyslog configuration file
/etc/rsyslog.conf
on Server A to enable the RELP module for log reception:module(load="imrelp") input(type="imrelp" port="2514" ruleset="remote")
Set up rules for processing received logs in a newly created file
/etc/rsyslog.d/remote.conf
:ruleset(name="remote") { action(type="omfile" dynaFile="remoteSyslog") }
Enable and restart the rsyslog service:
sudo systemctl enable rsyslog sudo systemctl restart rsyslog
-
Configuring rsyslog on the log sending server (Server B)
On the log sending server (Server B), modify
/etc/rsyslog.conf
to send logs using RELP:module(load="omrelp") *.* action(type="omrelp" target="serverA" port="2514")
Here,
serverA
is the hostname or IP address of the log collecting server.After making the changes, restart rsyslog:
sudo systemctl restart rsyslog
Securing Log Transfer
To secure log transfer, you can utilize TLS/SSL encryption. This process involves generating and managing SSL certificates.
-
Generating SSL Certificates
Generate a self-signed SSL certificate and key on the log collecting server:
sudo openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/rsyslog-key.pem -out /etc/ssl/certs/rsyslog-cert.pem -days 365 -nodes
-
Configuring rsyslog to Use SSL
Modify
/etc/rsyslog.d/remote.conf
on the log collecting server to use SSL:module(load="imrelp" tls.tlslib="openssl") input(type="imrelp" port="2514" ruleset="remote" tls="on" tls.caCert="/etc/ssl/certs/rsyslog-cert.pem" tls.myCert="/etc/ssl/certs/rsyslog-cert.pem" tls.myPrivKey="/etc/ssl/private/rsyslog-key.pem")
Modify
/etc/rsyslog.conf
on the log sending server:action(type="omrelp" target="serverA" port="2514" tls="on" tls.caCert="/etc/ssl/certs/rsyslog-cert.pem")
-
Restart rsyslog on Both Servers
After configuring SSL, restart rsyslog on both servers to apply the changes.
Implementing secure log transfer between servers using RELP on CentOS 7 requires careful configuration of rsyslog and proper setup of SSL certificates. This procedure ensures not only reliable log delivery but also secures them during transfer between servers. Thorough implementation of these steps forms the basis for secure and efficient log management within an IT infrastructure.