Efficient log management is crucial for system administrators and security professionals. Centralizing logs from multiple machines simplifies troubleshooting and enhances security monitoring. In this comprehensive guide, we’ll walk you through deploying a syslog server on CentOS and configuring a Kali Linux client to send its logs to the syslog server.

Deploying a Syslog Server on Linux

Section 1: Understanding the Need for a Centralized Syslog Server

In environments with multiple servers or machines, managing logs individually becomes cumbersome. Syslog allows you to aggregate logs from various devices into a single server, streamlining the process of monitoring and analyzing system events.

Benefits of Centralizing Logs

• Simplified Troubleshooting: Quickly identify and resolve issues across multiple systems.
• Enhanced Security: Monitor suspicious activities and potential security breaches from one location.
• Resource Management: Efficiently manage system resources by analyzing logs collectively.

Section 2: Deployment Scenario

We’ll set up a syslog server on a CentOS machine and configure a Kali Linux client to forward its logs to this server. The communication between the client and server will occur over port 514, the default port for syslog.

Section 3: Installing Syslog on CentOS

Step 1: Install the rsyslog Package

The rsyslog package is a rocket-fast system for log processing. Install it using the yum command:

sudo yum install rsyslog -y

Step 2: Configure rsyslog

Edit the rsyslog configuration file to enable it to listen for incoming log messages.

sudo vi /etc/rsyslog.conf

Uncomment or add the following lines to enable UDP and TCP reception on port 514:

module(load="imudp")
input(type="imudp" port="514")

module(load="imtcp")
input(type="imtcp" port="514")

Note: Always create a backup of configuration files before making changes.

Step 3: Restart rsyslog and Configure the Firewall

Restart the rsyslog service to apply the changes:

sudo systemctl restart rsyslog

Open port 514 in the firewall for both UDP and TCP protocols:

sudo firewall-cmd --permanent --add-port=514/udp
sudo firewall-cmd --permanent --add-port=514/tcp
sudo firewall-cmd --reload

Your syslog server is now ready to receive logs from clients.

Section 4: Configuring the Syslog Client (Kali Linux)

Step 1: Install rsyslog on the Client

sudo apt update
sudo apt install rsyslog -y

Step 2: Configure rsyslog on the Client

Edit the rsyslog configuration file:

sudo vi /etc/rsyslog.conf

Add the following line at the end of the file to forward all logs to the syslog server (replace 192.168.3.234 with your server’s IP address):

*.* @192.168.3.234:514

Step 3: Restart rsyslog Service on the Client

sudo systemctl restart rsyslog

Section 5: Verification and Testing

On the Server Side

Monitor the /var/log/messages file to see incoming logs:

sudo tail -f /var/log/messages

On the Client Side

Send a test log message:

logger "This is a test message from the Kali Linux client."

Expected Result

You should see the test message appear in the server’s log file, confirming that the syslog server is correctly receiving logs from the client.

Section 6: Conclusion

By centralizing logs using a syslog server, you enhance your ability to monitor and troubleshoot your network effectively. This setup is essential for maintaining system health and security across multiple machines.

For more advanced log management solutions, stay tuned for our upcoming posts where we’ll integrate Python with rsyslog for an interactive event log analyzer.