Syslog Forwarding

Logging Made Easy (LME) primarily collects host-based logs through installed agents. However, many devices that are critical to monitoring network and infrastructure activity (e.g., firewalls, routers, switches) do not support agent deployment.

To monitor these devices, LME supports syslog forwarding, allowing you to collect and analyze logs from across your network in a centralized platform. In this setup, the LME server acts as the centralized syslog receiver, accepting logs sent from network devices over Transmission Control Protocol (TCP). A TCP listener is configured through Elastic Agent’s Fleet integration to receive the incoming syslog traffic, making it searchable and actionable within Kibana alongside agent-based logs.

This guide provides instructions for setting up syslog forwarding to the LME server using the Elastic Stack’s TCP input and rsyslog.

Configure the TCP Integration in Kibana

1. Log into Kibana on the LME Server

   • Navigate toKibana server:https://{SERVER_IP}

   • Log in withusername andpassword.

2. Access the Fleet Menu

   • Click on thehamburger menu icon in the top left corner (three horizontal lines).

   • Scroll down and click onFleet.

3. Access Fleet Server Policy

   • Click on theAgent policies tab.

   • Click on theFleet-Server-Policy link.

4. Add Integration

   • Click on theAdd integration button.

   • Click on theCustom button in the left panel.

   • Click on theCustom TCP Logs icon.

5. Configure Settings

   • Click on theAdd Custom TCP Logs button.

   • Under the Configure integration section, click on theChange defaults drop-down menu.

   • Provide thefollowing information:

     • Listen Address:0.0.0.0
     • Listen port:5140
     • Dataset name:tcp.syslog
     • Addappropriate tags (e.g., syslog)
     • EnableSyslog Parsing
     • EnablePreserve Original Event

   • Click on theSave and continue button.

Update the Container Configuration

1. Navigate to theubuntu server.

2. Modify theLME Fleet Server quadlet to expose the syslog port:

   • sudo nano /etc/containers/systemd/lme-fleet-server.container

3. Addport 5140 to PublishPort directive:

   • PublishPort=8220:8220,5140:5140

4. Reloadsystemd and then restart thecontainer:

   • sudo systemctl daemon-reload

   • sudo systemctl restart lme-fleet-server.service

5. Verify that the port is listening:

   • sudo ss -tulpn | grep 5140

Configure Rsyslog to Forward Logs

1. Create acustom rsyslog configuration:

   • sudo nano /etc/rsyslog.d/60-forward-tcp.conf

2. Addforwarding directive:

   • *.* @@lme-server-ip:5140

Note: This is the IP address of your LME server. Ensure you can reach it from your device.

3. Restartrsyslog:

   • sudo systemctl restart rsyslog

Generate Test Events

1. Createreal system events to test the setup:

   • ssh nonexistentuser@localhost

Verify in Kibana

1. Generatefake ssh failures using ssh nonexistentuser@localhost on the endpoint.

2. Log intoKibana on the LME server.

   • Navigate to theKibana server:https://{SERVER_IP}

   • Log in withusername andpassword.

3. Access the Discover Menu

   • Click on thehamburger menu icon in the top left corner (three horizontal lines).

   • Click onDiscover.

4. Click on thedataview logs drop-down menu and then selectlogs-*.

5. In the Filter your data search bar, search for SSH-related entries by typingmessage:(“Failed passowrd” OR “invalid user” OR “authentication failure”).

6. Confirm the failed login attempts were captured.

Create Visualizations

1. Build ametric visualization for failed login attempts.

2. In the Filter your data search bar, typemessage:(“Failed passowrd” OR “invalid user” OR “authentication failure”).

3. Add thevisualization to the dashboard.

• ←Previous
• Next→