RSyslog Setup on Ubuntu for FortiGate Log Data

This is a rough draft to document the setup and configuration of RSyslog on an Ubuntu Linux system to capture syslog data from a FortiGate.

1. Install rsyslog

dorian@jumphost:~$ sudo apt-get install rsyslog
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
rsyslog is already the newest version (8.2112.0–2ubuntu2.2).
rsyslog set to manually installed.
The following packages were automatically installed and are no longer required:
libflashrom1 libftdi1–2 libllvm13
Use ‘sudo apt autoremove’ to remove them.
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

2. Edit /etc/rsyslog.conf

Uncomment udp/514

# provides UDP syslog reception
module(load=”imudp”)
input(type=”imudp” port=”514")

Add allowed sender and configure log file format.

$AllowedSender UDP, 10.10.10.1/24

$template remote-incoming-logs, “/var/log/%HOSTNAME%.log”
*.* ?remote-incoming-logs

3. Permit udp/514 through the Linux firewall.

dorian@jumphost:~$ sudo ufw allow 514/udp
Rules updated
Rules updated (v6)

4. Rsyslog was erroring on relaunch with permissions writing to files in /var/log, so I had to add permissions.

dorian@jumphost:~$ sudo chmod 775 /var/log

5. Add any hosts you are receiving logs from to /etc/hosts

6. Restart and check status of rsyslog.

dorian@jumphost:~$ sudo systemctl restart rsyslog
dorian@jumphost:~$ systemctl status rsyslog
● rsyslog.service — System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023–11–20 10:32:36 EST; 6s ago
TriggeredBy: ● syslog.socket
Docs: man:rsyslogd(8)
man:rsyslog.conf(5)
https://www.rsyslog.com/doc/
Main PID: 181270 (rsyslogd)
Tasks: 10 (limit: 4102)
Memory: 1.3M
CPU: 29ms
CGroup: /system.slice/rsyslog.service
└─181270 /usr/sbin/rsyslogd -n -iNONE

Nov 20 10:32:36 jumphost systemd[1]: Starting System Logging Service…
Nov 20 10:32:36 jumphost systemd[1]: Started System Logging Service.
Nov 20 10:32:36 jumphost rsyslogd[181270]: imuxsock: Acquired UNIX socket ‘/run/systemd/journal/syslog’ (fd 3) f>
Nov 20 10:32:36 jumphost rsyslogd[181270]: rsyslogd’s groupid changed to 111
Nov 20 10:32:36 jumphost rsyslogd[181270]: rsyslogd’s userid changed to 104
Nov 20 10:32:36 jumphost rsyslogd[181270]: [origin software=”rsyslogd” swVersion=”8.2112.0" x-pid=”181270" x-inf>

7. Configure the syslog clients to send logs to our syslog server

8. Check /var/log to see that new log files are updating