SBM Labs

Cyber Security Collaboration Project

Log file transfer using Syslog
21 Feb 2015

Introduction.

We have some application on the host hostName1 that write audit events to the log file and can't send them to another server for the further analysis. So we need to configure log file transfer to the host hostName2.

Solution.

We will use rsyslog for this purpose.

Example of use.

1. Connect to the host hostName2.

2. Open rsyslog configuration file.

# vim /etc/rsyslod.d/custom.conf

3. Add these lines to the file custom.conf.

:syslogtag, contains, "customTag" /path/to/logfile
:syslogtag, contains, "customTag" ~

4. Restart rsyslog.

# /etc/init.d/rsyslog restart

5. Connect to the host hostName1.

6. Open rsyslog configuration file.

# vim /etc/rsyslod.d/custom.conf

7. Add these lines to the file custom.conf.

$ModLoad imfile
$InputFileName /path/to/logfile
$InputFileTag customTag:
$InputFileStateFile logfile_state
$InputRunFileMonitor
:syslogtag, contains, "customTag" @@hostName2
:syslogtag, contains, "customTag" ~

8. Restart rsyslog.

# /etc/init.d/rsyslog restart

SELinux Policy for custom Rsyslog configuration
Logging configuration for easy search in Linux