how to configure rsyslog to send audit events to centralized SIEM system
On each WEBAPP server, the following needs to be configured:
Please setup the proper IP (10.109.21.164
is just an example).
CODE
#################################################/etc/rsyslog.conf
## CLIENT PART
##on the server from where the logs will be sent, please configure as follow in /etc/rsyslog.conf
## if all logs will be sent, the following line should be added
####*.info;mail.none;authpriv.none;cron.none @@10.109.21.164:514
## if only veridium logs needs to be send, than please add the following lines:
if $programname == 'ver-events' then @@10.109.21.164:514
if $programname == 'ver-adminevents' then @@10.109.21.164:514
#################################################/etc/rsyslog.d/tomcatevents.conf
##to send the veridium events logs, to the rserverlog, please create a file /etc/rsyslog.d/tomcatevents.conf with the following content:
$ModLoad imfile
$InputFileName /var/log/veridiumid/tomcat/events.log
$InputFileTag ver-events:
$InputFileStateFile ver-events
$InputRunFileMonitor
#################################################/etc/rsyslog.d/websecadminevents.conf
##to send the websecadmin events logs, to the rserverlog, please create a file /etc/rsyslog.d/websecadminevents.conf with the following content:
$ModLoad imfile
$InputFileName /var/log/veridiumid/websecadmin/events.log
$InputFileTag ver-adminevents:
$InputFileStateFile ver-adminevents
$InputRunFileMonitor
#################################################Please restart service
## restart service
systemctl restart rsyslog