Dell PowerProtect Cyber Recovery 19.13 Security Configuration Guide

Enable the rsyslog client

Enable the rsyslog client to support message logging.

1. Edit the /etc/audisp/plugins.d/syslog.conf file so that active = yes, and then save and exit the file.
2. Edit the /etc/rsyslog.conf file, and then save and exit the file.
   For example, add the following to the /etc/rsyslog.conf file:

   $ModLoad imfile
   $InputFileName /var/log/audit/audit.log
   $InputFileTag tag_audit_log:
   $InputFileStateFile audit_log
   $InputFileSeverity info
   $InputFileFacility local6
   $InputRunFileMonitor
      
   *.* @<Server_IP>:514

   The parameters include:

   Table 1. rsyslog.conf parameters

   Parameters	Description
   $ModLoad imfile (optional)	The input module that can convert any standard text file into a syslog message.
   $InputFileName (optional)	The name of the file that you want to send to the rsyslog server. NOTE: Rsyslog supports wildcard matching for files and directories. See RSyslog Documentation for more details about wildcards.
   $InputFileTag (optional)	The tag used for messages that originate from this file. You can include a colon after the tag (for example, $InputFileTag tag_audit_log:).
   $InputFileStateFile (optional)	State files track which partitions have been processed for the monitored files. The state files are stored in the rsyslog working directory. If you delete the state files, the entire file is read in again. Ensure that you specify a unique name.
   $InputFileSeverity (optional)	The syslog severity to assign to read lines. The input can be text (for example, info or warning) or numerals (or example, 4 for info). Text is recommended. The default value is "notice".
   $InputFileFacility (optional)	The syslog facility to be assigned to read lines. The input can be text (for example, local0 or local1) or numerals (or example, 128 for local0). Text is recommended. The default value is "local0".
   $InputRunFileMonitor (optional)	This parameter activates the current monitor. There are no parameters. If you omit this parameter, no file monitoring occurs.
   *.* @<Server_IP>:514 (required)	Replace <Server_IP> with the syslog server IP address.

   NOTE:

   • To send all system logs to the syslog server, use only the last line in the configuration file, which is described in the last row of the preceding table. This line is the only line that is required to send all system logs to the syslog server. Cyber Recovery application logs are not included.
   • To send Cyber Recovery application logs that are in a specific directory to the syslog server, use the other optional parameters that are described in the preceding table.
3. Restart the rsyslog service on the client:

   service rsyslog restart

   For more information, see RSyslog Documentation at https://www.rsyslog.com/doc/v8-stable/index.html.