Syslog

Georgia Tech Cyber Security runs syslog servers for the general campus to use for log export. We accept plain syslog (via port 514) and also TCP+TLS (over port 6514). We prefer plain (non-TLS) syslog unless the log data is sensitive. If you can log to two destinations, log to both of the below servers for redundancy. If you can only log to one, choose the first.

If you do not know how to configure syslog, please refer to the “syslog Configuration File” section of the following article (https://www.digitalocean.com/community/tutorials/how-to-view-and-configure-linux-logs-on-ubuntu-and-centos) or send an email to ask@security.gatech.edu for help with configuration.

UDP syslog

​For UDP syslog add the following lines to your rsyslog configuration:

*.* @logs.is.gatech.edu:514
*.* @logs-ha.is.gatech.edu:514

TCP+TLS syslog

  1. Request a certificate from InCommon for the syslog client.
    openssl req -new -newkey rsa:2048 -nodes -keyout ~/<host>.key -out <host>.csr
  2. Install GTLS​
    yum -y install rsyslog-gnutls
  3. Add the following lines to your rsyslog configuration:

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/writ.is.gatech.edu.ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/<HOST>.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/<HOST>.key
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
*.* @@(o)logs.is.gatech.edu:6514
*.* @@(o)logs-ha.is.gatech.edu:6514