marco/ids.alfacom.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d0683b363f
ids.alfacom.it/deployment/setup_syslog_server.sh
marco370 fcd4bbf2b2 Add comprehensive deployment and configuration guides for the IDS system 
This commit introduces detailed documentation for deploying the Intrusion Detection System (IDS) on AlmaLinux 9, including setup scripts, MikroTik router configuration, and update procedures via git. It also includes the syslog parser script for processing router logs and saving them to PostgreSQL.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: b2b01a4a-55da-4f33-9143-6bf0399e0a03
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/c9ITWqD
2025-11-15 11:30:55 +00:00

103 lines
3.2 KiB
Bash
Raw Blame History

#!/bin/bash
# Script per configurare il server Syslog su AlmaLinux 9
# Questo script riceve i log dai router MikroTik e li salva in PostgreSQL
# Eseguire con: chmod +x setup_syslog_server.sh && sudo ./setup_syslog_server.sh
# Colori per output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
echo -e "${BLUE}📡 CONFIGURAZIONE SERVER SYSLOG PER ROUTER MIKROTIK${NC}"
echo "===================================================="
# 1. Installa rsyslog
echo -e "\n${BLUE}📦 Installazione rsyslog...${NC}"
dnf install -y rsyslog rsyslog-pgsql
# 2. Configura rsyslog per ricevere log UDP
echo -e "\n${BLUE}🔧 Configurazione rsyslog...${NC}"
cat > /etc/rsyslog.d/10-mikrotik.conf << 'EOF'
# Configurazione rsyslog per ricevere log dai router MikroTik
# Abilita ricezione UDP sulla porta 514
module(load="imudp")
input(type="imudp" port="514")
# Template per parsare log MikroTik
# Formato: timestamp hostname tag: message
template(name="MikrotikFormat" type="string"
string="%timestamp% %hostname% %syslogtag%%msg:::drop-last-lf%\n"
)
# Filtra solo log dai router MikroTik (basato su hostname o IP range)
# Salva in file temporaneo per processamento Python
if $fromhost-ip startswith '192.168.' or $fromhost-ip startswith '10.' then {
action(type="omfile" file="/var/log/mikrotik/raw.log" template="MikrotikFormat")
}
# Ruota log giornalmente
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionFileEnableSync on
EOF
# 3. Crea directory log
echo -e "\n${BLUE}📁 Creazione directory log...${NC}"
mkdir -p /var/log/mikrotik
chown -R syslog:adm /var/log/mikrotik
chmod 755 /var/log/mikrotik
# 4. Configura logrotate
echo -e "\n${BLUE}🔄 Configurazione logrotate...${NC}"
cat > /etc/logrotate.d/mikrotik << 'EOF'
/var/log/mikrotik/*.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
create 0644 syslog adm
sharedscripts
postrotate
/bin/kill -HUP $(cat /var/run/syslogd.pid 2>/dev/null) 2>/dev/null || true
endscript
}
EOF
# 5. Configura firewall per porta 514/UDP
echo -e "\n${BLUE}🔥 Configurazione firewall...${NC}"
firewall-cmd --permanent --add-port=514/udp
firewall-cmd --reload
# 6. Restart rsyslog
echo -e "\n${BLUE}🔄 Restart rsyslog...${NC}"
systemctl enable rsyslog
systemctl restart rsyslog
echo -e "\n${GREEN}✅ SERVER SYSLOG CONFIGURATO!${NC}"
echo ""
echo -e "${YELLOW}📋 CONFIGURAZIONE ROUTER MIKROTIK:${NC}"
echo ""
echo -e "${BLUE}Connettiti al router MikroTik e esegui:${NC}"
echo ""
echo -e " /system logging action"
echo -e " add name=ids-server target=remote remote=<IP_QUESTO_SERVER> remote-port=514"
echo ""
echo -e " /system logging"
echo -e " add action=ids-server topics=firewall,info"
echo -e " add action=ids-server topics=account,info"
echo -e " add action=ids-server topics=system,error"
echo ""
echo -e "${YELLOW}Sostituisci <IP_QUESTO_SERVER> con l'IP di questo server AlmaLinux${NC}"
echo ""
echo -e "${BLUE}📊 VERIFICA:${NC}"
echo -e " • Test ricezione log: ${BLUE}tail -f /var/log/mikrotik/raw.log${NC}"
echo -e " • Stato rsyslog: ${BLUE}systemctl status rsyslog${NC}"
echo -e " • Porta aperta: ${BLUE}netstat -ulnp | grep 514${NC}"
Reference in New Issue View Git Blame Copy Permalink