Some time ago I was asked by my friend to recommend a cost-free solution that he could use for storing logs of his security device over network. The Linux OS with installed syslog-ng is perfectly suitable for this job because it can collect logs from any source, process them in near real-time and deliver them to a wide variety of destinations. However it was challenge to explain all the steps in an easy manner as he was a total newbie in a Linux world. For this reason I wrote a basic installation and configuration manual for him which I share with you. The manual helps you to setup syslog-ng on Ubuntu server and troubleshoot the possible issues.
1. Install Ubuntu 16.04 Server Edition
During Ubuntu installation you are asked to provide the username/password and IP settings. Once an installation process finishes, the system is rebooted. when you get your console again, login and install updates with the command:
$ sudo su
# apt-get update
# apt-get upgrade
2. Install and Configure Syslog-ng
# apt-get install syslog-ng
First, you need to download a simple configuration file that I created for you.
# cd /etc/syslog-ng/conf.d
# wget http://brezular.com/wp-content/uploads/2016/12/firewals.conf_.txt -O firewals.conf
# service syslog-ng restart
3. Static IP Address Configuration
You probably need to configure a static IP address for the interface. Find the name of our Ethernet interface with the ifconfig command. Then edit the file /etc/network/interfaces with nano or vim editor and configure IP settings. Below is an example of static IP configuration for the interface ens3.
Picture 1 - Static IP Address Configuration
Restart a network service with a command:
# service networking restart
The Syslog-ng service should listen on all IP address and TCP and UDP port 514.
# netstat -tulpn | grep 514
Picture 2 - TCP/UDP Port 514 Opened by Syslog-ng Service
If you want the syslog-ng to listen on a particular IP address instead of all IP addresses, replace the IP address 0.0.0.0 with the desired IP address in the configuration file /etc/syslog-ng/conf.d/firewals.conf. You can also change the owner of the saved log files there. Do not forget to restart syslog-ng service after your changes in the config file.
Logs are placed to the directory /var/log/firewalls. Check a content of the directory with the command:
# ls -l /var/log/firewalls/
drwxr-x--- 3 ubuntu ubuntu 4096 Dec 8 20:16 192.168.0.1
drwxr-x--- 3 ubuntu ubuntu 4096 Dec 8 20:18 192.168.0.2
As you can see they are two directories 192.168.0.1 and 192.168.0.2 that were automatically created by syslog-ng based on the IP addresses of the devices we are collecting logs from.
Picture 3 - Testing Topology
Our configuration file tells syslog-ng to create a directory structure based on the IP_of_device/year/month for each contributing device. For each day a log file is created inside the IP/year/month directory. Let's inspect a log file of a router 192.168.0.1.
# cat /var/log/firewalls/192.168.0.11/2016/12/192.168.0.1-2016-12-08.log
Dec 8 20:16:45 192.168.0.1 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:14:21 192.168.0.1 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:15:33 192.168.0.1 : %LINK-5-CHANGED: Interface GigabitEthernet1/0, changed state to administratively down
Dec 8 21:15:34 192.168.0.1 : %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to down
Dec 8 21:17:28 192.168.0.1 : %SYS-5-CONFIG_I: Configured from console by console
Dec 8 21:22:32 192.168.0.1 : %LINK-3-UPDOWN: Interface GigabitEthernet1/0, changed state to up
Dec 8 21:22:34 192.168.0.1 : %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0, changed state to up
5. Configuring Cisco Router for Sending Traps to Syslog-ng
These two commands configure a Cisco router for sending logs with a priority 5 (notification) to a syslog server with IP address 192.168.0.100.
R1(config)# logging trap notifications
R1(config)# logging host 192.168.0.100