-
-
Save mbierman/f3d184b65e0f4de6fa75a4a5d5145426 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # v 2.1.0 | |
| syslog=/etc/rsyslog.d/09-externalserver.conf | |
| # this logs notice and above. use *.* log everything. | |
| filter=*.notice | |
| server=192.168.0.19 # Change the server to the IP of your syslog server. | |
| port=514 | |
| hostname=firewalla | |
| valid=$(grep "$server:$port" $syslog 2>/dev/null) | |
| create () { | |
| # To use TCP uncomment line 14 to use TCP and comment line 16 | |
| # echo -e "# remote syslog server (TCP):\n$filter @@$server:$port" | sudo tee $syslog | |
| # Line 16 assumes UDP: to use TCP, comment the line 16 and uncomment line 14 | |
| echo -e "# remote syslog server (UDP):\n\$LocalHostName $hostname\nfilter @$server:$port" | sudo tee $syslog | |
| echo "Restarting rsyslog..." | |
| sudo systemctl restart rsyslog | |
| echo "remote syslog added" | |
| exit | |
| } | |
| cleanup () { | |
| sudo rm -f $syslog | |
| sudo systemctl restart rsyslog | |
| } | |
| if [ -f "$syslog" ] ; then | |
| if [ -n "$valid" ] ; then | |
| echo "remote syslog already in place with $server:$port specified" | |
| case $1 in | |
| -c) | |
| echo -e "\nrecreating syslog configuration..." | |
| cleanup | |
| create | |
| ;; | |
| -r|-restart|-force|-f) | |
| echo "Restarting rsyslog..." | |
| sudo systemctl restart rsyslog | |
| exit | |
| ;; | |
| -u|-update) | |
| read -p "Are you sure you want to remove the syslog forwarder? type 'y' " -n 1 -r | |
| echo | |
| if [[ $REPLY =~ ^[Yy]$ ]] ; then | |
| ls $syslog 2>/dev/null && cleanup || echo -e "\n\nNo log found.\n" | |
| fi | |
| exit | |
| ;; | |
| -h) | |
| echo -e "You can use:\n - \`$0 -c\` recreate forwarding\n - \`$0 -r\` restart the syslog service\ | |
| \n - \`$0 -u\` uninstall the settings to send to the remote syslog server\n\n" | |
| exit | |
| ;; | |
| esac | |
| else | |
| echo "The server is not configured correctly. On it." | |
| cleanup | |
| create | |
| fi | |
| else | |
| echo "There was no syslog forwarder in place." | |
| create | |
| fi |
You may also want to consider this post about persisting cron through reboots/restarts: https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting
I notice the cronjob disappeared after a reload so I added it to the location described by that article.
@mjaestewart @mbierman
thanks a lot for sharing this - just what I was looking for.
I'm curious why you need the cron job to run the create function every hour.
According to https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting, scripts in post_main.d run every time the Firewalla restarts. Couldn't the script just check for the presence of the .conf file and create it if not present? Or are there conditions where the config can get deleted without a restart to add the config back?
In my version, there is no need for a cron job. I feel it is a bad idea to restart syslog every hour. I'm not sure I follow what problem that was trying to solve. The current code is not how Firewalla recommends creating cron jbos. I haven't tested to see if it works anyway. Maybe in a round about way it still works but there's no reason to do it this way.
I haven't tested the modified version. The fact that it seems to need a cronjob makes me cautious about it for now. When I get a chance I may try to fix a few things and see if it has any adverse effects if the cron isn't run.
I've been playing with a Graylog server in my home lab, as a result, I started looking into how to export the Bro(Zeek) logs from the Firewalla to Graylog.
I was using the following script via a cron job every minute, found it on Reddit.
#!/bin/bash for l infind /log/blog/ -type f -mmin -1 ;do zcat $l | sed "s|\}|,\"firewalla_log\":\"$l\"}|g" | nc -q 5 192.168.25.200 514 -w0;done
I ran across this Gist, and tried to use @mjaestewart script, this appears to pickup and re-send all exsiting logs each time rsyslog is restarted, which probably isn't a problem normally, but if you are fiddling, I'm finding that it's dumping 6k logs in a second and then my graylog server queue starts piling up.
imfile appears to support a 'freshStartTail' option, how would I include it in mjaestewart's script? would it get added as a parameter on the input line?
input(type="imfile" ruleset="forwardSysLogs" Tag="ConnLog" File="/bspool/manager/conn.log" freshStartTail="on")
@mjaestewart Do you end up with an endless supply of imfile state files in /var/spool/rsyslog? I ended up adding a cronjob to delete files older than 5 minutes in that directory because otherwise it just fills up indefinitely. I'm assuming it has something to do with zeek truncating/rotating the log files because I also end up with these messages from rsyslogd in /var/log/syslog: imfile: internal error? inotify provided watch descriptor 3745 which we could not find in our tables.