Unix Connector Configuration Log
Unix security logs provide information about activities in the environment
and include privilege escalation information and information about high
critical commands executed over SSH.
Determine which syslog file Unix uses to send alerts, then configure Unix to
send logs based on the syslog file type.
1. Log in to Unix.
2. From the prompt, execute the following command:
ls -d /etc/*syslog*
3. Identify which of the following files displays as the result of the
command:
o rsyslog.conf
o syslog-ng.conf
o syslog.conf
�Configuring Unix to send logs using rsyslog.conf
The rsyslog.conf file is most commonly found on Debian, Fedora, SuSE,
Ubuntu, and other Linux distributions. Follow the steps to configure Unix for
systems using the rsyslog.conf file to send alerts:
1. As root, edit the /etc/rsyslog.conf file with a text editor, such as Vi.
2. Paste the following at the end of the file:
authpriv.*,auth.*,*.warn,*.err @remote_ingester_node_ip:port_no
3. Replace the remote_ingester_node_ip variable with the Remote
Ingester Node IP address for your environment.
4. Replace the port_no variable with the UDP Port number in your
environment.
5. Save the text file and exit the editor.
6. Based on the type of OS you are using on your RIN, execute one of
following commands to activate the file change:
7. If your system is Ubuntu:
sudo service rsyslog restart
8. For all other systems using rsyslog.conf:
sudo /etc/init.d/rsyslog restart
9. Log messages should begin appearing on Remote Ingester Node
(RIN). By default, rsyslog sends messages from the system's
hostname.
�Configuring Unix to send logs using syslog-ng.conf
The syslog-ng file is often used on Gentoo 2005.0+ and SuSE 9.3+ systems.
Follow the steps below to configure Unix for systems using the syslog-
ng.conf file to send alerts:
1. As root, edit /etc/syslog-ng.conf with a text editor.
2. In the line that starts with source (For example: source s_sys {..}),
identify the name of the source, typically s_sys, src, s_all, or s_local.
3. At the end of the file, paste the following:
destination d_securonix { udp("@remote_ingester_node_ip"
port(port_no)); }; log { source(s_sys); destination(d_securonix); };
4. Replace s_sys with the name you identified in step 2.
5. Replace the remote_ingester_node_ip variable with the Remote
Ingester IP address for your environment.
6. Replace the port_no variable with the UDP/TCP port number for your
environment.
7. Execute the following command, to tell the system to activate the
change:
sudo killall -HUP syslog-ng
Log messages should now appear on the Harpia Ingester Node (HIN).
�Configuring Unix to send logs using syslog.conf
The syslogd and sysklogd files are often seen on BSDs; CentOS; Gentoo
2004.3 and older systems, Mac, RHEL, Slackware, Solaris, and most other
Unices.
The remote_syslog2 application can be used in place of syslogd. Some
versions of syslog do not support custom ports and must use the default
port 514, but modern BSD versions (including macOS) support custom ports.
1. As root, use a text editor to edit /etc/syslog.conf.
2. Paste the following at the end of the file:
*.* @remote_ingester_node_ip:port_no
3. Replace the remote_ingester_node_ip variable with the Remote
Ingester IP address for your environment.
4. Replace the port_no variable with the UDP/TCP port number for your
environment.
5. Execute the following command, to tell the system to activate the
change:
sudo killall -HUP syslogd
Log messages should now appear on the HIN.
