Linux is a family of open-source, Unix-like operating systems based on the Linux kernel. It is widely used in servers, desktops, embedded systems, and cloud environments due to its flexibility, stability, and security. A Linux OS machine refers to any computer or device running a Linux-based operating system.
Integration Method: Data Collector (syslog)
Tables: Account Change (3001), Authentication (3002), Group Management (3006), SSH Activity (4007)
This integration supports the following events.
Event | Description |
|---|---|
Authentication logs | user authentication attempts, including successful logins, failed logins, user account changes etc., |
This integration supports the following versions.
Linux Version Tested | Ubuntu 22.04 LTS, RHEL 8.8 |
Data Collector API version | 0.6-62-d2aa70a |
Prerequisites
The user should have a compatible version of the system in which the Data Collector is installed. For installation steps, please follow the steps mentioned here.
The user should have access to DataBee console.
Configuration Overview
Client machine – Machine in which end user activities are performed and those logs need to be processed in DataBee.
Data Collector – This host has the DataBee Data Collector installed. It receives logs from client machines and forwards the events to DataBee via HTTPS.
Configure syslog in Data Collector machine.
Configure syslog on client machines.
Configure Linux feed in DataBee console.
Configure syslog on Data Collector
In this configuration, logs will be received from client machines on port 51442. Rsyslog is configured to forward all of it to port 51441. Those logs will be sent to DataBee via HTTPS.
Login to the Linux host machine.
Edit rsyslog.conf as a super user. Run the command sudo nano /etc/rsyslog.conf with admin privileges.
Enable following highlighted UDP lines with port that you want to expose to client machines to forward logs. For e.g, port 51442 is opened here for clients to forward logs.
Add auth,authpriv.* @0.0.0.0:51441 at the end of the file to expose auth logs to 51441 port. This port will be used for Linux feed configuration in DataBee UI.
Save and close the file.
Run the following command to restart syslog service sudo service rsyslog restart.
Configure syslog on client machines
Login to Linux client machine from where you want to forward the authentication logs to DataBee.
Run command sudo nano /etc/rsyslog.conf with admin privileges.
Add auth,authpriv.* @<host-ip>:51442 at the end of the file to send auth logs to Data Collector machine 51442 port.
Save and close the file.
Run the following command to restart syslog service sudo service rsyslog restart.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the Linux and click it as shown below.
Click on the Data Collector for collection method.
Click on the Syslog.
Enter feed contact information and select data collector created from the previous step.
Click Next.
In the configuration page, confirm the following:
Select the mode as UDP from the dropdown.
Fill the port field with port configured during syslog configuration in host machine.
Click Next.
If you don’t want to filter logs based on syslog messages from host/clients then click on Submit.
If you want to filter the message then click on Add.
You will see filters dropdown with two options i.e., Inclusion and Exclusion
Inclusion: provide keywords that you want to apply on syslog messages to filter which need to be processed in DataBee.
Exclusion: provide keywords that you want to apply on syslog messages to filter which need not to be processed in DataBee.
Click on Submit.
Troubleshooting Tips
If you encounter any issues regarding log forwarding, refer to the DataBee troubleshooting document for detailed guidance.