New task: Configure a central syslog server

DC-task-configure-syslog-server

@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="task-configure-syslog-server.xml"
+ROOTID="task-configure-central-syslog-server"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"

xml/task-configure-syslog-server.xml

@@ -0,0 +1,363 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<?xml-stylesheet href="urn:x-suse:xslt:profiling:docbook51-profile.xsl"
+ type="text/xml"
+ title="Profiling step"?>
+<!DOCTYPE article
+[
+  <!ENTITY % entities SYSTEM "generic-entities.ent">
+    %entities;
+]>
+
+<!--metadata
+ * product(s): SLES, SLED, SLE-HA, SLES-SAP, SLE-HPC, SLE-RT
+ * product version(s): 15 SP3, 15 SP2, 15 GA
+ * topic category/ies: system administration, networking
+ * target group(s): system operators
+ * initially published: ?
+ * last modified: ?-->
+
+<article xml:id="task-configure-central-syslog-server" xml:lang="en"
+ role="task"
+ xmlns="http://docbook.org/ns/docbook" version="5.1"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ xmlns:xlink="http://www.w3.org/1999/xlink">
+
+ <info>
+  <title>Forwarding log messages to a central log server</title>
+  <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+   <dm:bugtracker>
+    <dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
+    <dm:component>Documentation</dm:component>
+    <dm:product>Product Name</dm:product>
+    <dm:assignee>cwickert@suse.com</dm:assignee>
+   </dm:bugtracker>
+   <dm:translation>no</dm:translation>
+  </dm:docmanager>
+ </info>
+
+ <section xml:id="environment-configure-central-syslog-server">
+ <title>Environment</title>
+  <para>This document applies to the following products and product versions:</para>
+  <itemizedlist>
+  <listitem>
+   <para>&sles;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&sles4sap;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&sleha;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&slehpc;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA</para>
+  </listitem>
+  <listitem>
+   <para>&sled;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&slert;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+ </itemizedlist>
+</section>
+
+ <section xml:id="introduction-configure-central-syslog-server">
+  <title>Introduction</title>
+  <para>
+   System log data can be forwarded from individual systems to a central
+   syslog server on the network. This allows administrators to get an overview
+   of events on all hosts, and prevents attackers that succeed in taking over a
+   system from manipulating system logs to cover their tracks.
+  </para>
+ </section>
+
+ <section xml:id="requirements-configure-central-syslog-server">
+  <title>Requirements</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     You have installed your product and your system is up and running.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The system is connected to the network.
+    </para>
+   </listitem>
+   <!-- FIXME cwickert 2021-10-08: uncomment once we have NTP instructions.
+   <listitem>
+    <para>
+     You have set up <literal>NTP</literal> on all machines. Refer to <xref
+     linkend="FIXME"/> for configuration instructions.
+    </para>
+   </listitem>
+   -->
+   <listitem>
+    <para>
+     The <package>rsyslog</package> package is installed on all machines.
+     If not, run <command>zypper in yast2-mail</command> to install it.
+    </para>
+    <!-- <screen>&prompt.root;<command>zypper in rsyslog</command></screen> -->
+   </listitem>
+  </itemizedlist>
+ </section>
+
+ <section xml:id="configure-configure-central-syslog-server">
+  <title>Setting up the central syslog server</title>
+  <para>
+   Setting up a central syslog server consists of two parts. First you configure
+   the central log server, then the clients for remote logging.
+  </para>
+  <section xml:id="sec-configure-configure-central-syslog-server">
+   <title>Setting up the central syslog server</title>
+   <!--
+    <para>
+    This section describes a basic syslog forwarding setup on &sle;.
+    </para>
+   -->
+   <procedure xml:id="pro-configure-central-syslog-server">
+    <title>Configure the central <systemitem>rsyslog</systemitem> server</title>
+    <para>
+     To set up a central syslog server, perform the following steps:
+    </para>
+    <step>
+     <para>
+      Edit the configuration file
+      <filename>/etc/rsyslog.d/remote.conf</filename>.
+     </para>
+    </step>
+    <step>
+     <para>
+      Uncomment the following lines in the <literal>UDP Syslog Server</literal>
+      or <literal>TCP Syslog Server</literal> section of the configuration file.
+      Assign an IP address and port for <systemitem
+       class="daemon">rsyslogd</systemitem>.
+     </para>
+     <para>
+      TCP example:
+     </para>
+     <screen>$ModLoad imtcp.so
+      $UDPServerAddress <replaceable>IP</replaceable><co xml:id="co-tuning-syslog-server-ip"/>
+      $InputTCPServerRun <replaceable>PORT</replaceable><co xml:id="co-tuning-syslog-server-port"/></screen>
+     <para>
+      UDP example:
+     </para>
+     <screen>$ModLoad imudp.so
+      $UDPServerAddress <replaceable>IP</replaceable><xref linkend="co-tuning-syslog-server-ip" xrefstyle="select:label nopage"/>
+      $UDPServerRun <replaceable>PORT</replaceable><xref linkend="co-tuning-syslog-server-port" xrefstyle="select:label nopage"/></screen>
+     <calloutlist>
+      <callout arearefs="co-tuning-syslog-server-ip">
+       <para>
+        IP address of the interface for <systemitem
+         class="daemon">rsyslogd</systemitem> to listen on. If no address is
+        given, the daemon listens on all interfaces.
+       </para>
+      </callout>
+      <callout arearefs="co-tuning-syslog-server-port">
+       <para>
+        Port for <systemitem class="daemon">rsyslogd</systemitem> to listen on.
+        Select a privileged port below 1024. The default is 514.
+       </para>
+      </callout>
+     </calloutlist>
+     <important>
+      <title>TCP versus UDP protocol</title>
+      <para>
+       Traditionally syslog uses the UDP protocol to transmit log messages over
+       the network. This involves less overhead, but lacks reliability. Log
+       messages can get lost under high load.
+       <!-- cwickert 2021-03-02 Original text before shortening -->
+       <!-- The TCP protocol is more
+        reliable. Messages will only get lost under
+        <emphasis>constant</emphasis> high load, which should not occur under
+        normal circumstances.
+        </para>
+        <para>
+        Since the advantages of centralized logging could suffer from
+        unreliability, using TCP recommended. -->
+      </para>
+      <para>
+       The TCP protocol is more reliable and should be preferred over UDP.
+      </para>
+     </important>
+     <note>
+      <title><literal>UDPServerAddress</literal> with TCP</title>
+      <para>
+       The <literal>$UDPServerAddress</literal> configuration parameter in the
+       TCP example is no error. Despite its name it is used for both TCP and
+       UDP.
+      </para>
+     </note>
+    </step>
+    <step>
+     <para>
+      Save the file.
+     </para>
+    </step>
+    <step>
+     <para>
+      Restart the <systemitem class="daemon">rsyslog</systemitem> service:
+     </para>
+<screen>&prompt.sudo;<command>systemctl restart rsyslog.service</command></screen>
+    </step>
+    <step>
+     <para>Open the respective port in the firewall. For <systemitem
+      class="daemon">firewalld</systemitem> with TCP on port 514 run:
+     </para>
+<screen>&prompt.sudo;<command>firewall-cmd --add-port <replaceable>514/tcp</replaceable> --permanent</command>
+&prompt.sudo;<command>firewall-cmd --reload</command></screen>
+    </step>
+   </procedure>
+   <para>
+    You have now configured the central log server. Next, configure the clients
+    for remote logging.
+   </para>
+  </section>
+  <section >
+   <title>Set up the client machines</title>
+   <procedure xml:id="pro-configure-syslog-client">
+    <title>Configure a <guimenu>rsyslog</guimenu> instance for remote logging</title>
+    <para>
+     To configure a machine for remote logging on a central syslog server, perform
+     the following steps:
+    </para>
+    <step>
+     <para>
+      Edit the configuration file
+      <filename>/etc/rsyslog.d/remote.conf</filename>.
+     </para>
+    </step>
+    <step>
+     <para>
+      Uncomment the appropriate line (TCP or UDP) and replace
+      <literal>remote-host</literal> with the address of the central log server
+      set up in <xref linkend="sec-configure-configure-central-syslog-server"/>.
+     </para>
+     <para>
+      TCP example:
+     </para>
+     <screen># Remote Logging using TCP for reliable delivery
+      # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+      *.* <replaceable>@@remote-host</replaceable></screen>
+     <para>
+      UDP example:
+     </para>
+     <screen># Remote Logging using UDP
+      # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+      *.* <replaceable>@remote-host</replaceable></screen>
+    </step>
+    <step>
+     <para>
+      Save the file.
+     </para>
+    </step>
+    <step>
+     <para>
+      Restart the <systemitem class="daemon">rsyslog</systemitem> service:
+     </para>
+     <screen>&prompt.sudo;<command>systemctl restart rsyslog.service</command></screen>
+    </step>
+    <step>
+     <para>
+      Verify the proper function of the syslog forwarding:
+     </para>
+     <screen>&prompt.user;<command>logger "hello world"</command></screen>
+     <para>
+      The log message <literal>hello world</literal> should now appear on the
+      central syslog server.
+     </para>
+    </step>
+   </procedure>
+   <para>
+    You have now configured a machine for remote logging to your central log
+    server. Repeat this procedure for all machines that should log remotely.
+   </para>
+  </section>
+ </section>
+
+ <section xml:id="summary-configure-central-syslog-server">
+  <title>Summary</title>
+  <para>
+   You have configured one or more hosts for remote logging to your central log
+   server. This allows you to get a quick to get an overview of events on your
+   network.
+  </para>
+ </section>
+
+ <section xml:id="troubleshooting-configure-central-syslog-server">
+  <title>Troubleshooting</title>
+  <para>
+   In case the test log message does not appear on the log server, perform the
+   following steps to analyze the problem.
+  </para>
+  <variablelist>
+   <varlistentry>
+    <term>Is <systemitem class="daemon">rsyslog</systemitem> running?</term>
+    <listitem>
+     <para>
+      If you made an error in the configuration of <systemitem
+       class="daemon">rsyslog</systemitem>, the daemon might refuse to start.
+      Check it is running with
+      <command>systemctl status rsyslog.service</command>. If the
+      service is down, the output includes additional information about the
+      reason.
+     </para>
+     <para>
+      Run this check on both the log server and the remote logging clients.
+     </para>
+    </listitem>
+   </varlistentry>
+   <varlistentry>
+    <term>Is the firewall open?</term>
+    <listitem>
+     <para>
+      Check if the firewall on the log server is open with
+      <command>firewall-cmd --list-all</command>.
+     </para>
+    </listitem>
+   </varlistentry>
+  </variablelist>
+ </section>
+
+ <section xml:id="next-configure-central-syslog-server">
+  <title>Next steps</title>
+  <para>
+   This basic setup does not include encryption and is only suitable for
+   trusted internal networks. TLS encryption is strongly recommended, but
+   requires a certificate infrastructure to be set up first.
+  </para>
+  <para>
+   In this configuration, all messages from remote hosts will be treated the
+   same on the central log server. Consider filtering messages into separate
+   files by remote host or classify them by message category.
+  </para>
+  <para>
+   For more information about encryption, filtering, and other advanced topics,
+   consult the <phrase role="productname">RSyslog</phrase> documentation at
+   <link xlink:href="https://www.rsyslog.com/doc/master/index.html#manual"/>.
+  </para>
+ </section>
+
+ <!-- 
+ <section xml:id="related-configure-central-syslog-server">
+  <title>Related topics</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     An
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     Unordered
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     List
+    </para>
+   </listitem>
+  </itemizedlist>
+ </section>
+ -->
+</article>