跳至正文
KYRA MDR KYRA MDR Docs

Linux Syslog Integration

Overview

This integration collects SSH authentication, sudo usage, user management, cron jobs, and system event logs from Linux servers using the built-in rsyslog service. No additional agent is required.

Supported OS: CentOS, Rocky Linux, Ubuntu, Debian

Prerequisites

  • A KYRA MDR Collector installed and running (Installation Guide)
  • Root or sudo access on the Linux server
  • Network connectivity from the server to the collector on port 514

Configuration

Step 1: Configure rsyslog

Add the following line to /etc/rsyslog.conf or create a file in /etc/rsyslog.d/:

Terminal window
# TCP (recommended for reliable delivery)
*.* @@KYRA_COLLECTOR_IP:514


# UDP (alternative)
*.* @KYRA_COLLECTOR_IP:514

Restart rsyslog:

Terminal window
sudo systemctl restart rsyslog

For detailed file access and command execution auditing, configure auditd:

/etc/audit/audit.rules
-w /etc/passwd -p wa -k user_changes
-w /etc/shadow -p wa -k password_changes
-a always,exit -F arch=b64 -S execve -k command_execution

Forward audit logs via audisp-remote to the KYRA Collector.

Step 3: Verify Logs

Terminal window
# Check syslog is sending
sudo tcpdump -i any port 514 -c 5


# Check collector is receiving
sudo journalctl -u kyra-collector --since "5 minutes ago"

Collected Log Types

Log TypeSource FileSecurity UsePriority
SSH login/var/log/auth.logBrute force, unauthorized accessCritical
sudo usage/var/log/auth.logPrivilege escalation detectionHigh
User management/var/log/auth.logBackdoor account creationCritical
cron execution/var/log/cronMalicious scheduled tasks (persistence)High
Service start/stopsystemd journalService tampering detectionMedium
Firewall logs/var/log/messagesiptables/firewalld block eventsMedium
auditd/var/log/audit/audit.logFile access, process executionHigh

Troubleshooting

No Logs Received

  1. Verify rsyslog is running: systemctl status rsyslog
  2. Check that the collector IP is correct in the rsyslog configuration
  3. Ensure no firewall rules block port 514

Missing Auth Logs

  • On Ubuntu/Debian, auth logs are in /var/log/auth.log
  • On CentOS/RHEL, auth logs are in /var/log/secure
  • Ensure rsyslog is configured to forward auth.* facility

For additional help, contact kyra@seekerslab.com.