rsyslog — CySA+ Tools — Thiago Teixeira

rsyslog

Adiscon / rsyslog Project

High-performance Unix syslog daemon — the default on most modern Linux distributions.

Logging & SIEM Free & Open Source Agent / Service Learning Linux

Cyber Kill Chain & Defender Lifecycle

Attacker — Kill Chain

1 Reconnaissance

2 Weaponization

3 Delivery

4 Exploitation

5 Installation

6 Command & Control

7 Actions on Objectives

Defender — IR Lifecycle

8 Detection / Monitoring

9 Containment & Eradication

10 Post-incident Forensics

Description

rsyslog is the default syslog implementation shipped on most modern Linux distributions (RHEL/CentOS/Debian/Ubuntu). It is the drop-in successor to the original sysklogd and is known for its performance and modular architecture (im* input, om* output, mm* modify, pm* parse modules).

Capabilities a CySA+ analyst should be aware of:

Reliable transport (TCP, TLS, RELP).
Direct output modules for Elasticsearch, Kafka, MySQL, file, journal, and remote syslog.
Property-based filters and RainerScript for advanced routing.
Disk-assisted queues to survive SIEM outages without losing events.

Use cases

Default log forwarder on RHEL/Debian to a SIEM
Direct shipping to Elasticsearch via omelasticsearch
High-volume aggregation in front of an indexer

Example

# /etc/rsyslog.d/50-forward.conf
*.* action(type="omfwd" target="siem.internal" port="6514"
           protocol="tcp" StreamDriver="gtls" StreamDriverMode="1")