Questions[centralized-logging](server)

We have set up centralized logging of auditd messages for two machines:

• machine (www22.domain.com) is the source (centos8)
• machine (cls.domain.com) is the centralized log server (centos7)

This was done in the standard way using auditd+audisp plugin sending to auditd server listening on port 60, e.g. like described here:

https://luppeng.wordpress.com/2016/08/06/setting-up-centralized-logging-with-auditd/

But then when I observe the audit log on the centralized log server after restarting auditd client on the source, the only thing that appears are the lines

node=cls.domain.com type=DAEMON_CLOSE msg=audit(1632773977.760:3884): addr=::ffff:x.y.z.152 port=42652 res=success
node=cls.domain.com type=DAEMON_ACCEPT msg=audit(1632773988.330:3885): addr=::ffff:x.y.z.152 port=44282 res=success

where ::ffff:x.y.z.152 is obviously due to some packet(s) from IP address x.y.x.152 (address of www22.domain.com). So the TCP connection between client-server gets established and it seems further message logging should work.

But then the only new lines that ever appear in the log file are those that originate on cls.domain.com. There are never audit messages from www22.domain.com.

I've checked what happens if auditd www22.domain.com is set up to write also to local audit log file; then the local file gets lots of messages from audit. But still nothing is sent over the network.

How to make sure the auditd client sends the same messages over the network?

I want to create a central rsyslog server, and I want to create a file per type of log received. I need a filter that will look for specific strings in the incoming messages and then place them in the seperate log files.

So if I see a log from a Cisco device, i will place it in /var/log/remote_cisco.log, if I see a log from another Linux box, I want to place the log in /var/log/remote_linux.log.

So I have created a new config that has a new ruleset, but I an struggling to understand where to put my filters, I want to say something like:

if $msg contains ‘CISCO ASA’ then /var/log/remote_cisco.log

Here is my current basic config file

# Syslog Config to enable a Syslog Server
 
ruleset(name="remote"){
     action(type="omfile" file="/var/log/remote.log") }
 
# provides UDP syslog reception module(load="imudp") input(type="imudp" port="514" ruleset="remote")
 
# provides TCP syslog reception module(load="imtcp") input(type="imtcp" port="514" ruleset="remote")

This is a part of my Promtail scrape configuration on various hosts to collect journald log entries to a Loki instance:

- job_name: journald
  journal:
    labels:
      job: journald
  relabel_configs:
    - source_labels:
        - __journal__systemd_unit
      target_label: unit
  pipeline_stages:
    - match:
        selector: '{unit=~"session-\\d+\\.scope"}'
        stages:
          - regex:
              source: unit
              expression: "^session-(?P<session_id>\\d+)\\.scope$"
          - template:
              source: message
              template: "id={{ .session_id }} {{ .Entry }}"
          - output:
              source: message
          - labels:
              unit: session.scope

The aim is to relabel all entries captured with unit labels like session-1.scope, session-10.scope etc. with the common label session.scope and to prepend the session_id extracted from the initially assigned label to the entry text. While that latter aspect, adding the prefix, is working and thus implying that most of the configuration is working, the last of the defined stages, that asignment of a static literal to the unit label does not. All entries that were correctly selected and altered still have their distinct labels session-1.scope, session-10.scope etc.

Can anyone hint me what I'm missing to make that last bit work as expected?

Due to the Data Privacy regulations in our Country we have been asked by management to disable Microsoft Office Pro Plus, 365, 2016 from sending Telemetry Data to Microsoft so i did the following as stated on the official website https://docs.microsoft.com/en-us/deployoffice/compat/manage-the-privacy-of-data-monitored-by-telemetry-in-office .

So I downloaded ADMX templates > Configuration > Administrative Templates > Microsoft Office 2016 > Telemetry Dashboard and did the following in order to disable Telemetry Agent policy settings that disable logging

TO STOP LOGGING BY USING THE GROUP POLICY SETTINGS

Setting

Turn on telemetry data collection

Set this setting to Disabled to turn off data collection.

Turn on data uploading for Office Telemetry Agent

Set this setting to Disabled to stop uploading data to the shared folder.

According to Microsoft if logging is deactivated folder this %LocalAppData%\Microsoft\Office\16.0\Telemetry folder does not exit. I double checked on one of our test clients and truly that path doesnt exist.

Nevertheless my attention was then drawn to another location %localappdata%\Microsoft\Office\OTele. Check out this article https://www.gruppenrichtlinien.de/artikel/office-20162019365-telemetrie-deaktivieren-disabletelemetry/

This location also logs some kind of Office Telemetry Data and it gets populated anytime office is active. Is this location relevant? If so how do we stop it from logging office Data?

Reference link: https://social.technet.microsoft.com/Forums/office/en-US/f98dd521-fc45-4187-af30-f00031585f44/disable-microsoft-office-telemetry-not-working-properly-data-logging-locations-very-confusing?forum=Office2016ITPro#f98dd521-fc45-4187-af30-f00031585f44

My requirement is to log all messages on the remote machine. In order to achieve the goal I have two identical versions of rsyslog (rsyslogd 8.1901.0 (aka 2019.01)) on both machines (server: 192.168.122.12 and client: 192.168.122.13).

Besides, if the remote machine is down I need to buffer all messages in order to send them later when it is online. The problem is, that this have a very strange behavior. When I shut down remote server, and log something the message is never sent, even when the remote machine is online again. Sometimes when I log something again some of the old (buffered) messages are sent (never all of them). As you may see I use TCP connection.

My configuration is:

Server: /etc/rsyslog.conf

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
module(load="imtcp")
input(type="imtcp" port="514" ruleset="remote")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog

$DebugLevel 2
$DebugFile /var/log/rsyslog-debug.log

template (name="DynFile" type="string" string="/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log")

template(name="CustomFileFormat" type="list") {
    property(name="timereported" dateFormat="rfc3339")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="syslogtag")
    property(name="msg" spifno1stsp="on" )
    property(name="msg" droplastlf="on" )
    constant(value="\n")
}

ruleset(name="remote") {
  action(type="omfile" dynaFile="DynFile" Template="CustomFileFormat")
  stop
}
$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages
*.emerg                         :omusrmsg:*

Client: /etc/rsyslog.conf

$LocalHostName my.test.machine.corp.es

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog

$DebugLevel 2
$DebugFile /var/log/rsyslog-debug.log

*.* action(
        type="omfwd"
        target="192.168.122.12"
        port="514"
        protocol="tcp"
        queue.type="linkedlist"
        queue.size="10000"
        queue.filename="fwd_msgs"
        action.resumeRetryCount="-1"
        queue.saveOnShutdown="on"
        action.resumeinterval="30"
)

$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages
*.emerg                         :omusrmsg:*