ACCESS Operations operates a central syslog server to aggregate logs from ACCESS production online services. ACCESS Operators can be given access to this syslog server to view their centralize logs. ACCESS Operations is also working with OmniSOC to forward centralize logs to their threat analysis and detection services.
Operators of ACCESS production online services wishing to send logs to the central syslog server should inform ACCESS Operations by opening an an Integration and Operations Request at https://operations.access-ci.org/help and selecting the Issue Type "Operations: Tools - ...".
In the request please specifiy:
- The IP address of the service that will be sending log entries so that security firewalls can be opened
- The ACCESS usernames of individuals that will need access to the central syslog server to view logs
Once you are notified that your access has been enabled, please follow the instructions below to send your logs to the central server, and to login to the central syslog server.
We also require that you register your service in the service index (Instructions are located here https://operations.access-ci.org/online_services/service_index ) using either a public hostname, or meaningful non-public dns name.
Sending logs to syslog
In order to send syslogs to the syslog server, you'll need to install rsyslog and decide whether to send logs using standard UDP or RELP:
To use standard syslog format over UDP (not recommended) then you can configure rsyslog as follows:
To use the more reliable RELP (Reliable Event Logging Protocol) then you can configure rsyslog as follows:
*.* action(type="omfwd" target="syslog.operations.access-ci.org" port="10514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
This will tell syslog to forward all logs to syslog.operations.access-ci.org on port 10514 over tcp. This will also try 100 times before discarding the syslog messages as well as not queuing up messages that would normally consume disk space.
Logging in to the central syslog server
To login to the ACCESS Operations syslog server first login to one of the bastion servers using your ACCESS username and password, and MFA.
From the bastion host login to syslog.operations.access-ci.org.
Once you have logged into the syslog server, you should have access to logs inside the /logs/ directory. This directory contains automatically generated folders based on the sending host DNS name, if resolvable. Otherwise you will be able to find it via the IP address of the host that is sending logs.