Overview

Red Hat Enterprise Linux is a commercial open-source Linux distribution developed by Red Hat for the commercial market. Fedora Linux serves as its upstream source. EventTracker integrates with Redhat Linux via Syslog. It monitors events to provide insight on security and compliance events such as login, logout, login-failed events, the command executed, and privilege escalation.

Prerequisites

1. Seceon CCE should be installed.

2. Allow the Syslog UDP Port 514 in the firewall/network

Configuration Steps

The following steps describe how to configure rsyslog on Red Hat Enterprise Linux 6 or 7 to receive logs from Deep Security.

1. Log in as a root

2. Execute: vi /etc/rsyslog.conf

3. Uncomment the following lines near the top of the rsyslog.conf to change them from:
   #$ModLoad imudp
   #$UDPServerRun 514
   #$ModLoad imtcp
   #$InputTCPServerRun 514
   to
   $ModLoad imudp
   $UDPServerRun 514
   $ModLoad imtcp
   $InputTCPServerRun 514

4. Once done type the command 

              (Note: Press i and then insert the following changes , to save the changes press Esc then write :wq! and enter .)

                 *.* @CCE_IP:514

Open

5. Add the following two lines of text to the end of the rsyslog.conf:

6. Save the file and exit

7. Create the /var/log/Seceon/cce.log file by typing touch /var/log/Seceon/cce.log

8. Set the permissions on the CCE log so that Syslog can write to it

9. Save the file and exit

10. Restart syslog: service rsyslog restart

Verification Steps

When Syslog is functioning, you will see logs populated in: /var/log/Seceon/cce.log

Using UI

STEP 1: Log in to UI >> SYSTEM

Open

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS.

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

Using CCE SERVER

“sudo tcpdump -i any host 514 (for logs) and 9995 (for flows) and host <IP address> -AAA” command should be running on the CCE server to check whether or not we are getting logs.