Syslog with Configurations on AWS EC2 Linux Machines

Real Problem

Let's start with a real-life problem to understand these concepts!

Let's say a business's web server has slower response times and frequent failures, and customers are complaining that it's hard to access the website. To avoid more downtime and client dissatisfaction, the IT department must identify the issue's root cause and immediately fix it.

Solution!

The IT staff can use syslog to gather logs from the web server and other network devices that might be influencing its performance to solve the problem. The logs may contain details on the web server's CPU and memory usage, the volume of requests, and any faults or warnings that the server or other devices may have created.

The IT department may find by examining the Syslog data that the web server has high CPU consumption during peak hours, which results in poor response times and frequent problems. Also, they might notice that a certain IP address is sending the server a lot of requests, which could be a sign of a DDoS assault or other security risk.

What is Syslog?

Syslog is a standard way for computer systems to collect and store log messages generated by software applications and hardware devices. It's like a journal that records important events and errors, which can be used for troubleshooting, monitoring, and security analysis.

It essentially uses a client-server architecture, with the client sending log messages to the Syslog server.

The communications are then kept by the server in one location. Syslog messages include system failures, warnings, and notifications.

Configuring Syslog:

For Configuring Syslog on Amazon EC2 we will need to set up your AWS Console. After that, we need to create EC2 instances. We just need two Virtual machines where one will be a Client and the other will be a Server. That can be done through either EC2 instances or VMWare also. This is part of the pre-requisite.

After successful configurations of Client and Server Machines, we can move on to our steps to set up Syslog.

We will use rsyslog for setting up Syslog server in both machines. You can find more information about it here: https://www.rsyslog.com/

Further Steps are as follows:

Step 1: Make sure both client and server are connected, by pinging their IP’s (ifconfig).

Step 2: configure rsyslog on both machines.

  • Switch to the root user

  • Install rsyslog

      sudo su
      yum install rsyslog* -y
    

Step 3: We have to go to the Config file.

 vim /etc/rsyslog.conf

We need to uncomment TCP and UDP parts of code. By this, we make sure that our rsyslog server receives log messages over TCP and UDP network protocols.

The code part should look like this:

Press ESC and :wq(save n exit).

Step 4: Restart and enable rsyslog

systemctl restart rsyslog.service  
systemctl enable rsyslog.service 
systemctl status rsyslog.service

Step 5: Go to Client Machine and open the config file.

vim /etc/rsyslog.conf

Add the following at the end:

* . \ <tab>*@server_ipadd

After adding the IP, Repeat step 4, of restarting and enabling rsyslog!

Step 6: Perform some activity like creating users and setting their credentials on the client machine:

For adding user: useradd user-name

For setting a password: passwd user-name

Step 7: All the logs of activities on the client machine will be shown. Let's see if our activity of creating users appears here or not.

vim /var/log/secure

We can observe in the secure file reflecting activities

Conclusion: It appears, hence rsyslog is logging all the activities of the client into server ec2!

Appreciate your reading, please like and comment with any suggestions that you wish to give! Thank you, Cheers!