Configuring Rsyslog

Installing required package for Deb.

sudo apt-get update
sudo apt-get install ca-certificates -y
sudo apt-get install rsyslog-gnutls

Installing required packages for RedHat distributions

sudo yum install ryslog-gnutls
sudo yum-get install ca-certificates -y

sudo nano /etc/rsyslog.d/22-easysiem.conf

For rsyslog version 8.x paste below

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
template(name="json-template" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\",\"hostname\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"pri\":\"") property(name="pri-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\",\"fromhost-ip\":\"") property(name="fromhost-ip")
constant(value="\",\"auth_token\":\"AUTH_TOKEN")
constant(value="\",\"pack\":\"rsyslog")
constant(value="\"}\n")
}
# Send messages to easySIEM over TCP using the template.
# ACTION BLOCK
action(type="omfwd" protocol="tcp" target="TARGET_URL" port="8888"
template="json-template" StreamDriver="gtls"
StreamDriverMode="1" StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.easysiem.com")

TARGET_URL - <SUBDOMAIN>-collector.easysiem.com AUTH_TOKEN - Copy Auth Token from configuration section of dashboard.

You may want to add any number of extra value and property. By default the "pack" field value is syslog and "name" is "facility" in the indexed documents.

Minimal Configuration for Auth logs, user management and suricata logs only.

Replace action block with below

if ( $syslogfacility-text startswith "auth" and
($programname == ["sshd","sudo","su","systemd-logind",
"groupdel","groupadd","usermod","useradd",
"userdel","groupmod","chage", "chfn"])
or $syslogtag startswith "suricata")
then {
action(type="omfwd" protocol="tcp" target="TARGET_URL" port="8888"
template="json-template" StreamDriver="gtls"
StreamDriverMode="1" StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.eaysiem.com")
stop
}