You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Topics Discussed

You can add a remote log collector to the following remote devices (log sources):

To obtain Log Relay and to configure your account for remote log collection, you must have the following AMP permissions added to your account: 

  • Write Virtual Machine
  • Delete Log Management
  • Read Log Endpoints
  • Read Log Relays
  • Write Log Relays
  • Delete Log Relays

You can use this document to add a remote log collector to an Apache HTTP Server remote device (log source). 

Pre-deployment considerations

For remote log collection, you must have Log Relay added to your account.  

Create a remote log source

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.
  2. Click Log & Data Management.
  3. Click External Sources.
  4. Click the plus ( + ) sign. 
    • If you do not have any log sources already created, then click Add a New Log Source
  5. Complete the missing fields:
    1. In Endpoint, select the available Armor Endpoint.
    2. In Log Source Type, select Apache HTTP Server
    3. In Hostname, enter the system hostname that matches the system for syslog collection. For example, in Mar 10 08:52:55 node-77 systemd: < redacted >, the hostname would be node-77.

      1. The hostname is case-sensitive and must match the same letter casing as the logs that are sent into this log source.
    4. In Protocol, select TLS Syslog
  6. Click Save Log Source.

Implement Server

Before you begin, ensure that the following pages are installed:

  • rsyslog-gnutls
    • yum install -y rsyslog-gnutls
  1. Create a directory to hold Armor pem file: 
    • mkdir -pv /etc/rsyslog.d/keys/ca.d
  2. Change to the newly created directory: 
    • cd /etc/rsyslog.d/keys/ca.d
  3. Download Armor PEM files: 
  4. Place the following two lines in main http.conf or vhost config (will be needed for each vhost): 
    • LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" ArmorCustom
    • CustomLog "|/usr/bin/logger -t httpd -p" ArmorCustom
  5. Create a file called /etc/rsyslog.d/55-armor.conf with the following template:
    • Replace target-name:port with the name of the configured endpoint and port.

      # make gtls driver the default
      $DefaultNetstreamDriver gtls
      # $ActionSendStreamDriverAuthMode anon
      $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
      $ActionSendStreamDriverAuthMode x509/name
      $ActionSendStreamDriverPermittedPeer *
      # certificate files
      $DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/
      # $ActionSendStreamDriverAuthMode x509/name
      # $ActionSendStreamDriverPermittedPeer *
      # remote host is: name/ip:port, e.g., port optional
      local6.*  @@<target-name:port>
      # ### begin forwarding rule ###
      # The statement between the begin ... end define a SINGLE forwarding
      # rule. They belong together, do NOT split them. If you create multiple
      # forwarding rules, duplicate the whole block!
      # Remote Logging (we use TCP for reliable delivery)
      # An on-disk queue is created for this action. If the remote host is
      # down, messages are spooled to disk and sent when it is up again.
      # $ActionQueueFileName fwdRule1 # unique name prefix for spool files
      $ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
      $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
      $ActionQueueWorkerThreads 1
      $ActionQueueDequeueSlowDown 10000
      $ActionQueueDiscardSeverity 6
      $ActionQueueType LinkedList   # run asynchronously
      $ActionResumeRetryCount -1    # infinite retries if host is down
      # ### end of the forwarding rule ###
  6. Ensure that rsyslog configuration has no syntax errors:

    • rsyslogd -N1

  7. Ensure that httpd configuration has no syntax errors:

    • httpd -t

  8. Reload httpd:

    • service httpd reload

  9. Restart rsyslog: 

    • service rsyslog restart

  10. Verify.


If enforced, RHEL/CentOS - SELinux will block rsyslog from using a remote port. To troubleshoot:

  1. Install SELinux troubleshooting tool:

    • yum install -y setroubleshoot-server

  2. Check to see if rsyslog is being blocked from using remote port

    • sealert -a /var/log/audit/audit.log

  3. Follow recommendations to allow: Example:

    • grep 72733A6D61696E20513A526567 /var/log/audit/audit.log | audit2allow -M mypol
      semodule -i mypol.pp