73 lines
3 KiB
Markdown
73 lines
3 KiB
Markdown
# Sensor Proxy Log Forwarding
|
||
|
||
Forward `pulse-sensor-proxy` logs to a central syslog/SIEM endpoint so audit
|
||
records survive host loss and can drive alerting. Pulse ships a helper script
|
||
(`scripts/setup-log-forwarding.sh`) that configures rsyslog to ship both
|
||
`audit.log` and `proxy.log` over RELP + TLS.
|
||
|
||
## Requirements
|
||
|
||
- Debian/Ubuntu host with **rsyslog** and the `imfile` + `omrelp` modules (present
|
||
by default).
|
||
- Root privileges to install certificates and restart rsyslog.
|
||
- TLS assets for the RELP connection:
|
||
- `ca.crt` – CA that issued the remote collector certificate.
|
||
- `client.crt` / `client.key` – mTLS credentials for this host.
|
||
- Network access to the remote collector (`REMOTE_HOST`, default `logs.pulse.example`,
|
||
port `6514`).
|
||
|
||
## Installation Steps
|
||
|
||
1. Copy your CA and client certificates into a safe directory on the host (the
|
||
script defaults to `/etc/pulse/log-forwarding`).
|
||
2. Run the helper with environment overrides for your collector:
|
||
```bash
|
||
sudo REMOTE_HOST=logs.company.tld \
|
||
REMOTE_PORT=6514 \
|
||
CERT_DIR=/etc/pulse/log-forwarding \
|
||
CA_CERT=/etc/pulse/log-forwarding/ca.crt \
|
||
CLIENT_CERT=/etc/pulse/log-forwarding/pulse.crt \
|
||
CLIENT_KEY=/etc/pulse/log-forwarding/pulse.key \
|
||
/opt/pulse/scripts/setup-log-forwarding.sh
|
||
```
|
||
The script writes `/etc/rsyslog.d/pulse-sensor-proxy.conf`, ensures the
|
||
certificate directory exists (`0750`), and restarts rsyslog.
|
||
|
||
## What the Script Configures
|
||
|
||
- Two `imfile` inputs that watch `/var/log/pulse/sensor-proxy/audit.log` and
|
||
`/var/log/pulse/sensor-proxy/proxy.log` with `Tag`s `pulse.audit` and
|
||
`pulse.app`.
|
||
- A local mirror file at `/var/log/pulse/sensor-proxy/forwarding.log` so you can
|
||
inspect rsyslog activity.
|
||
- An RELP action with TLS, infinite retry (`action.resumeRetryCount=-1`), and a
|
||
50k message disk-backed queue to absorb collector outages.
|
||
|
||
## Verification Checklist
|
||
|
||
1. Confirm rsyslog picked up the new config:
|
||
```bash
|
||
sudo rsyslogd -N1
|
||
sudo systemctl status rsyslog --no-pager
|
||
```
|
||
2. Tail the local mirror to ensure entries stream through:
|
||
```bash
|
||
sudo tail -f /var/log/pulse/sensor-proxy/forwarding.log
|
||
```
|
||
3. On the collector side, filter for the `pulse.audit` tag and make sure new
|
||
entries arrive. For Splunk/ELK, index on `programname`.
|
||
4. Simulate a test event (e.g., restart `pulse-sensor-proxy` or deny a fake peer)
|
||
and verify it appears remotely.
|
||
|
||
## Maintenance
|
||
|
||
- **Certificate rotation**: Replace the key/cert files, then restart rsyslog.
|
||
Because the config points at static paths, no additional edits are required.
|
||
- **Disable forwarding**: Remove `/etc/rsyslog.d/pulse-sensor-proxy.conf` and run
|
||
`sudo systemctl restart rsyslog`. The local audit log remains untouched.
|
||
- **Queue monitoring**: Track rsyslog’s main log or use `rsyslogd -N6` to check
|
||
for queue overflows. At scale, scrape `/var/log/pulse/sensor-proxy/forwarding.log`
|
||
for `action resumed` messages.
|
||
|
||
For rotation guidance on the underlying audit file, see
|
||
[operations/audit-log-rotation.md](audit-log-rotation.md).
|