hire-vladimir / sa-syslog_collection Goto Github PK

Hello!
Your file permissions (FileCreateMode in rsyslog and perm() in syslog-ng) set the log files to 0755.
It's not necessary for log files to have executable permissions and worst case it could have some security impact. A better default would be 0644.

presently, instructions inderectly suggest to disable selinux or tune it when logging outside of /var/log. documentation should elaborate more instead, update instructions with suggestions as:

• https://wiki.centos.org/HowTos/SELinux
• https://stackoverflow.com/questions/23333243/how-to-redirect-rsyslog-messages-to-some-other-path-instead-of-var-log

received feedback from multiple parties regarding "tuning" syslog. need to review the settings to see how they differ from default and the versions they were introduced. additional research is required.

• rsyslog

$MainMsgQueueWorkerThreads 4
$MainMsgQueueWorkerThreadMinumumMessages 6000
$MainMsgQueueDequeueBatchSize 4096
$MainMsgQueueType FixedArray
$MainMsgQueueSize 250000

• syslog-ng

options {
        long_hostnames (off);
        check_hostname(yes);
        keep_hostname (yes);
        use_dns (yes);
        use_fqdn (no);
        create_dirs (no);
        chain_hostnames (no);
        dns_cache(yes);
        dns_cache_size(2500);
        dns_cache_expire(87600);
        keep_timestamp (no);
        log_iw_size(100);
        log_fetch_limit(100);
        flush_lines (100);
        log_fifo_size (1000);
        stats_freq (120);
        time_reap (30);
        time_reopen (2);
};

• rsyslog

# udp
*.* @10.1.1.1:514
# tcp
*.* @@10.1.1.1:514
# udp with compression
*.* @(z9)10.1.1.1:514

• syslog-ng

destination d_loghost {udp("10.1.1.1" port(514) spoof_source(yes)); };

• also add example of HWF/idx sending syslog to 3rd party

The index is called "syslog_health" in props and "health_syslog" in the dashboard. These should probably match up.

presently, legacy rsyslog config file is given as an example to keep things consistent with latest rsyslog shipped with RHEL and CentOS builds. Given user an option might help, as the new format is friendlier to work with.

As part of syslog engine writing out files, syslog server name could be included part of path. This is done by leveraging daemon variable substitution.

• For rsyslog use $myhostname, per http://www.rsyslog.com/doc/master/configuration/properties.html
• For syslog-ng use $LOGHOST, per https://syslog-ng.com/documents/html/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-macros.html#idm46378515812272

This could later be used to extract the splunk_server_syslog field from source field.