Last active
January 5, 2025 22:59
-
-
Save mbierman/f3d184b65e0f4de6fa75a4a5d5145426 to your computer and use it in GitHub Desktop.
Add a remote syslog server to Firewalla
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # v 2.1.0 | |
| syslog=/etc/rsyslog.d/09-externalserver.conf | |
| # this logs notice and above. use *.* log everything. | |
| filter=*.notice | |
| server=192.168.0.19 # Change the server to the IP of your syslog server. | |
| port=514 | |
| hostname=firewalla | |
| valid=$(grep "$server:$port" $syslog 2>/dev/null) | |
| create () { | |
| # To use TCP uncomment line 13 to use TCP and comment line 15 | |
| # echo -e "# remote syslog server (TCP):\n$filter @@$server:$port" | sudo tee $syslog | |
| # Line 15 assumes UDP: to use TCP, comment the line 15 and uncomment line 13 | |
| echo -e "# remote syslog server (UDP):\n\$LocalHostName $hostname\nfilter @$server:$port" | sudo tee $syslog | |
| echo "Restarting rsyslog..." | |
| sudo systemctl restart rsyslog | |
| echo "remote syslog added" | |
| exit | |
| } | |
| cleanup () { | |
| sudo rm -f $syslog | |
| sudo systemctl restart rsyslog | |
| } | |
| if [ -f "$syslog" ] ; then | |
| if [ -n "$valid" ] ; then | |
| echo "remote syslog already in place with $server:$port specified" | |
| case $1 in | |
| -c) | |
| echo -e "\nrecreating syslog configuration..." | |
| cleanup | |
| create | |
| ;; | |
| -r|-restart|-force|-f) | |
| echo "Restarting rsyslog..." | |
| sudo systemctl restart rsyslog | |
| exit | |
| ;; | |
| -u|-update) | |
| read -p "Are you sure you want to remove the syslog forwarder? type 'y' " -n 1 -r | |
| echo | |
| if [[ $REPLY =~ ^[Yy]$ ]] ; then | |
| ls $syslog 2>/dev/null && cleanup || echo -e "\n\nNo log found.\n" | |
| fi | |
| exit | |
| ;; | |
| -h) | |
| echo -e "You can use:\n - \`$0 -c\` recreate forwarding\n - \`$0 -r\` restart the syslog service\ | |
| \n - \`$0 -u\` uninstall the settings to send to the remote syslog server\n\n" | |
| exit | |
| ;; | |
| esac | |
| else | |
| echo "The server is not configured correctly. On it." | |
| cleanup | |
| create | |
| fi | |
| else | |
| echo "There was no syslog forwarder in place." | |
| create | |
| fi |
You may also want to consider this post about persisting cron through reboots/restarts: https://help.firewalla.com/hc/en-us/articles/360054056754-Customized-Scripting
I notice the cronjob disappeared after a reload so I added it to the location described by that article.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@mjaestewart Do you end up with an endless supply of imfile state files in /var/spool/rsyslog? I ended up adding a cronjob to delete files older than 5 minutes in that directory because otherwise it just fills up indefinitely. I'm assuming it has something to do with zeek truncating/rotating the log files because I also end up with these messages from rsyslogd in /var/log/syslog: imfile: internal error? inotify provided watch descriptor 3745 which we could not find in our tables.