Installing required package for Deb.
sudo apt-get updatesudo apt-get install ca-certificates -ysudo apt-get install rsyslog-gnutls
Installing required packages for RedHat distributions
sudo yum install ryslog-gnutlssudo yum-get install ca-certificates -y
sudo nano /etc/rsyslog.d/22-easysiem.conf
For rsyslog version 8.x paste below
# Setup disk assisted queues$WorkDirectory /var/spool/rsyslog # where to place spool files$ActionQueueFileName fwdRule1 # unique name prefix for spool files$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)$ActionQueueSaveOnShutdown on # save messages to disk on shutdown$ActionQueueType LinkedList # run asynchronously$ActionResumeRetryCount -1 # infinite retries if host is down#RsyslogGnuTLS$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crttemplate(name="json-template" type="list") {constant(value="{")constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")constant(value="\",\"@version\":\"1")constant(value="\",\"message\":\"") property(name="msg" format="json")constant(value="\",\"hostname\":\"") property(name="hostname")constant(value="\",\"severity\":\"") property(name="syslogseverity-text")constant(value="\",\"pri\":\"") property(name="pri-text")constant(value="\",\"facility\":\"") property(name="syslogfacility-text")constant(value="\",\"programname\":\"") property(name="programname")constant(value="\",\"procid\":\"") property(name="procid")constant(value="\",\"fromhost-ip\":\"") property(name="fromhost-ip")constant(value="\",\"auth_token\":\"AUTH_TOKEN")constant(value="\",\"pack\":\"rsyslog")constant(value="\"}\n")}# Send messages to easySIEM over TCP using the template.# ACTION BLOCKaction(type="omfwd" protocol="tcp" target="TARGET_URL" port="8888"template="json-template" StreamDriver="gtls"StreamDriverMode="1" StreamDriverAuthMode="x509/name"StreamDriverPermittedPeers="*.easysiem.com")
TARGET_URL - <SUBDOMAIN>-collector.easysiem.com AUTH_TOKEN - Copy Auth Token from configuration section of dashboard.
You may want to add any number of extra value and property. By default the "pack" field value is syslog and "name" is "facility" in the indexed documents.
Replace action block with below
if ( $syslogfacility-text startswith "auth" and($programname == ["sshd","sudo","su","systemd-logind","groupdel","groupadd","usermod","useradd","userdel","groupmod","chage", "chfn"])or $syslogtag startswith "suricata")then {action(type="omfwd" protocol="tcp" target="TARGET_URL" port="8888"template="json-template" StreamDriver="gtls"StreamDriverMode="1" StreamDriverAuthMode="x509/name"StreamDriverPermittedPeers="*.eaysiem.com")stop}