Pulse/docs/operations/sensor-proxy-log-forwarding.md
2025-11-14 01:12:25 +00:00

73 lines
3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Sensor Proxy Log Forwarding
Forward `pulse-sensor-proxy` logs to a central syslog/SIEM endpoint so audit
records survive host loss and can drive alerting. Pulse ships a helper script
(`scripts/setup-log-forwarding.sh`) that configures rsyslog to ship both
`audit.log` and `proxy.log` over RELP + TLS.
## Requirements
- Debian/Ubuntu host with **rsyslog** and the `imfile` + `omrelp` modules (present
by default).
- Root privileges to install certificates and restart rsyslog.
- TLS assets for the RELP connection:
- `ca.crt` CA that issued the remote collector certificate.
- `client.crt` / `client.key` mTLS credentials for this host.
- Network access to the remote collector (`REMOTE_HOST`, default `logs.pulse.example`,
port `6514`).
## Installation Steps
1. Copy your CA and client certificates into a safe directory on the host (the
script defaults to `/etc/pulse/log-forwarding`).
2. Run the helper with environment overrides for your collector:
```bash
sudo REMOTE_HOST=logs.company.tld \
REMOTE_PORT=6514 \
CERT_DIR=/etc/pulse/log-forwarding \
CA_CERT=/etc/pulse/log-forwarding/ca.crt \
CLIENT_CERT=/etc/pulse/log-forwarding/pulse.crt \
CLIENT_KEY=/etc/pulse/log-forwarding/pulse.key \
/opt/pulse/scripts/setup-log-forwarding.sh
```
The script writes `/etc/rsyslog.d/pulse-sensor-proxy.conf`, ensures the
certificate directory exists (`0750`), and restarts rsyslog.
## What the Script Configures
- Two `imfile` inputs that watch `/var/log/pulse/sensor-proxy/audit.log` and
`/var/log/pulse/sensor-proxy/proxy.log` with `Tag`s `pulse.audit` and
`pulse.app`.
- A local mirror file at `/var/log/pulse/sensor-proxy/forwarding.log` so you can
inspect rsyslog activity.
- An RELP action with TLS, infinite retry (`action.resumeRetryCount=-1`), and a
50k message disk-backed queue to absorb collector outages.
## Verification Checklist
1. Confirm rsyslog picked up the new config:
```bash
sudo rsyslogd -N1
sudo systemctl status rsyslog --no-pager
```
2. Tail the local mirror to ensure entries stream through:
```bash
sudo tail -f /var/log/pulse/sensor-proxy/forwarding.log
```
3. On the collector side, filter for the `pulse.audit` tag and make sure new
entries arrive. For Splunk/ELK, index on `programname`.
4. Simulate a test event (e.g., restart `pulse-sensor-proxy` or deny a fake peer)
and verify it appears remotely.
## Maintenance
- **Certificate rotation**: Replace the key/cert files, then restart rsyslog.
Because the config points at static paths, no additional edits are required.
- **Disable forwarding**: Remove `/etc/rsyslog.d/pulse-sensor-proxy.conf` and run
`sudo systemctl restart rsyslog`. The local audit log remains untouched.
- **Queue monitoring**: Track rsyslogs main log or use `rsyslogd -N6` to check
for queue overflows. At scale, scrape `/var/log/pulse/sensor-proxy/forwarding.log`
for `action resumed` messages.
For rotation guidance on the underlying audit file, see
[operations/audit-log-rotation.md](audit-log-rotation.md).