To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account:
- Write Virtual Machine
- Delete Log Management
- Read Log Endpoints
- Read Log Relays
- Write Log Relays
- Delete Log Relays
You can use this document to add a remote log collector to an Apache HTTP Server remote device (log source).
For remote log collection, you must have Log Relay added to your account.
- To learn how to add Log Relay to your account, see Obtain Log Relay for Remote Log Collection.
Create a remote log source
- In the Armor Management Portal (AMP), in the left-side navigation, click Security.
- Click Log & Data Management.
- Click External Sources.
- Click the plus ( + ) sign.
- If you do not have any log sources already created, then click Add a New Log Source.
- Complete the missing fields:
- In Endpoint, select the available Armor Endpoint.
- In Log Source Type, select Apache HTTP Server.
In Hostname, enter the system hostname that matches the system for syslog collection. For example, in Mar 10 08:52:55 node-77 systemd: < redacted >, the hostname would be node-77.
- The hostname is case-sensitive and must match the same letter casing as the logs that are sent into this log source.
- In Protocol, select TLS Syslog.
- Click Save Log Source.
Before you begin, ensure that the following pages are installed:
- yum install -y rsyslog-gnutls
- Create a directory to hold Armor pem file:
- mkdir -pv /etc/rsyslog.d/keys/ca.d
- Change to the newly created directory:
- cd /etc/rsyslog.d/keys/ca.d
- Download Armor PEM files:
- Place the following two lines in main http.conf or vhost config (will be needed for each vhost):
- LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" ArmorCustom
- CustomLog "|/usr/bin/logger -t httpd -p local6.info" ArmorCustom
- Create a file called /etc/rsyslog.d/55-armor.conf with the following template:
Replace target-name:port with the name of the configured endpoint and port.
Ensure that rsyslog configuration has no syntax errors:
Ensure that httpd configuration has no syntax errors:
service httpd reload
service rsyslog restart
If enforced, RHEL/CentOS - SELinux will block rsyslog from using a remote port. To troubleshoot:
Install SELinux troubleshooting tool:
yum install -y setroubleshoot-server
Check to see if rsyslog is being blocked from using remote port
sealert -a /var/log/audit/audit.log
Follow recommendations to allow: Example:
grep 72733A6D61696E20513A526567 /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp