-
-
Save mbierman/f3d184b65e0f4de6fa75a4a5d5145426 to your computer and use it in GitHub Desktop.
| #!/bin/bash | |
| # v 2.1.0 | |
| syslog=/etc/rsyslog.d/09-externalserver.conf | |
| # this logs notice and above. use *.* log everything. | |
| filter=*.notice | |
| server=192.168.0.19 # Change the server to the IP of your syslog server. | |
| port=514 | |
| hostname=firewalla | |
| valid=$(grep "$server:$port" $syslog 2>/dev/null) | |
| create () { | |
| # To use TCP uncomment line 14 to use TCP and comment line 16 | |
| # echo -e "# remote syslog server (TCP):\n$filter @@$server:$port" | sudo tee $syslog | |
| # Line 16 assumes UDP: to use TCP, comment the line 16 and uncomment line 14 | |
| echo -e "# remote syslog server (UDP):\n\$LocalHostName $hostname\nfilter @$server:$port" | sudo tee $syslog | |
| echo "Restarting rsyslog..." | |
| sudo systemctl restart rsyslog | |
| echo "remote syslog added" | |
| exit | |
| } | |
| cleanup () { | |
| sudo rm -f $syslog | |
| sudo systemctl restart rsyslog | |
| } | |
| if [ -f "$syslog" ] ; then | |
| if [ -n "$valid" ] ; then | |
| echo "remote syslog already in place with $server:$port specified" | |
| case $1 in | |
| -c) | |
| echo -e "\nrecreating syslog configuration..." | |
| cleanup | |
| create | |
| ;; | |
| -r|-restart|-force|-f) | |
| echo "Restarting rsyslog..." | |
| sudo systemctl restart rsyslog | |
| exit | |
| ;; | |
| -u|-update) | |
| read -p "Are you sure you want to remove the syslog forwarder? type 'y' " -n 1 -r | |
| echo | |
| if [[ $REPLY =~ ^[Yy]$ ]] ; then | |
| ls $syslog 2>/dev/null && cleanup || echo -e "\n\nNo log found.\n" | |
| fi | |
| exit | |
| ;; | |
| -h) | |
| echo -e "You can use:\n - \`$0 -c\` recreate forwarding\n - \`$0 -r\` restart the syslog service\ | |
| \n - \`$0 -u\` uninstall the settings to send to the remote syslog server\n\n" | |
| exit | |
| ;; | |
| esac | |
| else | |
| echo "The server is not configured correctly. On it." | |
| cleanup | |
| create | |
| fi | |
| else | |
| echo "There was no syslog forwarder in place." | |
| create | |
| fi |
I've been playing with a Graylog server in my home lab, as a result, I started looking into how to export the Bro(Zeek) logs from the Firewalla to Graylog.
I was using the following script via a cron job every minute, found it on Reddit.
#!/bin/bash for l infind /log/blog/ -type f -mmin -1 ;do zcat $l | sed "s|\}|,\"firewalla_log\":\"$l\"}|g" | nc -q 5 192.168.25.200 514 -w0;done
I ran across this Gist, and tried to use @mjaestewart script, this appears to pickup and re-send all exsiting logs each time rsyslog is restarted, which probably isn't a problem normally, but if you are fiddling, I'm finding that it's dumping 6k logs in a second and then my graylog server queue starts piling up.
imfile appears to support a 'freshStartTail' option, how would I include it in mjaestewart's script? would it get added as a parameter on the input line?
input(type="imfile" ruleset="forwardSysLogs" Tag="ConnLog" File="/bspool/manager/conn.log" freshStartTail="on")
@nickt444 ,
In my version, there is no need for a cron job. I feel it is a bad idea to restart syslog every hour. I'm not sure I follow what problem that was trying to solve. The current code is not how Firewalla recommends creating cron jbos. I haven't tested to see if it works anyway. Maybe in a round about way it still works but there's no reason to do it this way.
I haven't tested the modified version. The fact that it seems to need a cronjob makes me cautious about it for now. When I get a chance I may try to fix a few things and see if it has any adverse effects if the cron isn't run.