Back to top
This guide will show you how to integrate a Linux server into the Secure60 platform.
This guide will explain how to monitor Linux instances through configuration of Syslog. As always if you have any additional questions, don’t hesitate to contact Secure60 Support.
sudo apt install rsyslog
/etc/rsyslog.conf with the following content:
# Global directives for TLS
global(
DefaultNetstreamDriverCertFile="/etc/ssl/certs/example_cert.crt" # Client certificate
DefaultNetstreamDriverKeyFile="/etc/ssl/private/example_key.pem" # Client private key
)
# without ssl, default syslog port using TCP
*.* @@<S60_COLLECTOR_IP_ADDRESS>:514
# without ssl, default syslog port using UDP
*.* @<S60_COLLECTOR_IP_ADDRESS>:514
# You run syslog with SSL
action(type="omfwd" protocol="tcp" target="<S60_COLLECTOR_IP_ADDRESS>" port="6514"
StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="anon")
/etc/rsyslog.d/auditd-forward.conf.# Load the imfile module to read files
module(load="imfile")
# Define the input to read the audit log
input(type="imfile"
File="/var/log/audit/audit.log"
Tag="auditd"
Severity="info"
Facility="local6"
PersistStateInterval="10")
# Forward the audit logs to the remote syslog server
if $syslogtag contains 'auditd' then @@<S60_COLLECTOR_IP_ADDRESS>:514
Ensure you replace <S60_COLLECTOR_IP_ADDRESS> with the actual IP address of your Secure60 collector.. Also enable TLS validation with signed certificates as needed.
To restart the Syslog service, execute the following commands:
systemctl restart rsyslog
To check the status of Syslog, use the command:
systemctl status rsyslog
journalctl -u rsyslog
To enable Syslog integration in the S60-collector, modify the .env file as follows:
ENABLE_SYSLOG=true
ENABLE_LINUX_SYSLOG=true
Logs can be viewed in the Secure60 portal.