rsyslog

Overview

rsyslog is the default syslog daemon on most Linux distributions. Configure rsyslog to forward logs to KYRA Collector for centralized security monitoring.

Basic Configuration

/etc/rsyslog.d/60-kyra-mdr.conf

# Forward all logs via TCP (reliable)
*.* @@<COLLECTOR_IP>:514

# Or forward only auth and security logs
auth,authpriv.* @@<COLLECTOR_IP>:514
kern.* @@<COLLECTOR_IP>:514

RFC 5424 Template

Use a structured syslog format for better parsing:

/etc/rsyslog.d/60-kyra-mdr.conf

# RFC 5424 structured format template
template(name="KyraFormat" type="string"
  string="<%PRI%>1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

*.* @@<COLLECTOR_IP>:514;KyraFormat

JSON Template

For JSON-formatted log forwarding (easier to parse):

/etc/rsyslog.d/60-kyra-mdr.conf

template(name="KyraJSON" type="list") {
  constant(value="{")
  constant(value="\"@timestamp\":\"")  property(name="timereported" dateFormat="rfc3339")
  constant(value="\",\"host\":\"")     property(name="hostname")
  constant(value="\",\"program\":\"")  property(name="programname")
  constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
  constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
  constant(value="\",\"message\":\"")  property(name="msg" format="jsonf")
  constant(value="\"}\n")
}

*.* @@<COLLECTOR_IP>:514;KyraJSON

TLS Encrypted Forwarding

For encrypted log transport using TLS:

/etc/rsyslog.d/60-kyra-mdr-tls.conf

# Load TLS driver
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/rsyslog.d/ca.pem"
  DefaultNetstreamDriverCertFile="/etc/rsyslog.d/client-cert.pem"
  DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/client-key.pem"
)

# Forward via TLS on port 6514
action(type="omfwd"
  target="<COLLECTOR_IP>"
  port="6514"
  protocol="tcp"
  StreamDriver="gtls"
  StreamDriverMode="1"
  StreamDriverAuthMode="x509/name"
  StreamDriverPermittedPeers="collector.kyra-mdr.local"
  template="KyraFormat"
)

# Install the TLS module (Debian/Ubuntu)
sudo apt install rsyslog-gnutls

Disk-Assisted Queue (Reliable Delivery)

Prevent log loss during network outages:

/etc/rsyslog.d/60-kyra-mdr.conf

# Main action queue with disk-assisted buffering
action(type="omfwd"
  target="<COLLECTOR_IP>"
  port="514"
  protocol="tcp"
  template="KyraFormat"

  # Queue settings for reliable delivery
  queue.type="LinkedList"
  queue.filename="kyra_mdr_fwd"
  queue.maxDiskSpace="1g"
  queue.saveOnShutdown="on"
  queue.size="50000"
  queue.dequeueSlowdown="500"
  queue.highWatermark="40000"
  queue.lowWatermark="20000"
  action.resumeRetryCount="-1"
  action.resumeInterval="30"
)

File Monitoring with imfile

Monitor application log files and forward them:

/etc/rsyslog.d/61-kyra-appfiles.conf

module(load="imfile" PollingInterval="5")

# Monitor application logs
input(type="imfile"
  File="/var/log/myapp/*.log"
  Tag="myapp:"
  Severity="info"
  Facility="local1"
  StateFile="myapp-log-state"
  reopenOnTruncate="on"
)

# Monitor audit log
input(type="imfile"
  File="/var/log/audit/audit.log"
  Tag="audit:"
  Severity="warning"
  Facility="local2"
  StateFile="audit-log-state"
)

# Forward tagged logs to KYRA Collector
local1.* @@<COLLECTOR_IP>:514
local2.* @@<COLLECTOR_IP>:514

Apply and Verify

# Validate the configuration
rsyslogd -N1

# Restart rsyslog
sudo systemctl restart rsyslog

# Check rsyslog status
sudo systemctl status rsyslog

# Send a test message
logger -t kyra-test "KYRA MDR test message"

# Verify logs are being forwarded
sudo tcpdump -i any port 514 -c 5

# Check rsyslog internal stats
rsyslogd -N1 2>&1 | grep -i error

Rate Limiting

Prevent log flooding from noisy applications:

/etc/rsyslog.d/59-ratelimit.conf

# Limit to 2000 messages per 60 seconds per source
$SystemLogRateLimitInterval 60
$SystemLogRateLimitBurst 2000

Contact kyra@seekerslab.com for integration support.