Linux Systems¶
Cyderes supports the ingestion of Linux Systems logs. For more information about Linux, visit What is Linux.
Chronicle Data Types¶
- LINUX_OS
Configuration¶
Follow these steps to configure logging (rsyslog or syslogng)
Follow these steps to configure logging (nxlog)
Paths to monitor: Common
- /var/log/syslog (General system activity logs)
- /var/log/auth.log (Authentication & authorization logs)
- /var/log/kern.log (Kernel activity logs)
- /var/log/faillog (Failed login attempt logs)
- /var/log/maillog (Mail server logs)
Paths to monitor: Comprehensive
- /var/log/syslog or /var/log/messages—stores (General system activity logs)
- /var/log/auth.log or /var/log/secure—stores (Authentication & authorization logs)
- /var/log/boot.log (Startup message logs)
- /var/log/maillog or var/log/mail.log (Mail server logs)
- /var/log/kern (Kernel activity logs)
- /var/log/dmesg (Device driver logs)
- /var/log/faillog (Failed login attempt logs)
- /var/log/cron (Cron jobs or cron daemon logs)
- /var/log/yum.log (YUM package logs)
- /var/log/httpd/ (HTTP error and request logs)
- /var/log/mysqld.log or /var/log/mysql.log (MySQL logs)
Rsyslog configuration example:
Template(
name="SendRemoteLogs"
type="string"
string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"
)
*.info action(type="omfwd"
action.resumeRetryCount="100"
queue.size="10000"
queue.maxdiskspace="1g"
queue.type="LinkedList"
queue.filename="remote"
queue.saveOnShutdown="on"
Template="SendRemoteLogs"
target="forwarder or LB hostname" port="cyderes issued port" protocol="tcp"
)