Logging Scenario - Logging with Rsyslog
Last modified on May 9, 2024
Scenario: You want to deliver your logs via TCP/syslog to a logging service on a server with Rsyslog. You can do this through your Gateway/Relay server with a little setup.
As with all Gateway/Relay logs, the logs stored on the Gateway/Relay will not include Admin UI activities, which can be accessed via the
sdm audit activities command.- On the logging server (i.e., the target/destination to which the logs will be written), edit the
/etc/rsyslog.conffile and add the following lines:#Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514 # You can optionally use $InputTCPMaxSessions to specify a maximum amount of connections # $InputTCPMaxSessions 500 # Sets up logging so that the hostname and program name are visible in order to better parse logs for sdm. $template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?RemoteLogs - On the logging client (the Gateway/Relay server), edit
/etc/rsyslog.d/loghost.confand add the IP address of the logging server (the target server, not the Gateway/Relay) along with the port it is listening on:*.* @@192.168.1.150:514 - On the Admin UI > Settings > Security page, select the Log Encryption & Storage tab, select Log locally on relays, and then under Local storage select syslog. Add the IP address of the logging server along with the port it is listening on:
192.168.1.150:514
Now you have configured StrongDM to send logs to your Gateway/Relay server and then deliver them to another target service.