gitea-mirror/Pulse
1
0
Fork 0
mirror of https://github.com/rcourtman/Pulse.git synced 2026-02-18 00:17:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
408e113f3559d80a8818f260d2bb514b973b9306
Pulse/docs/operations/sensor-proxy-log-forwarding.md
rcourtman a4eb70af96 docs: document sensor proxy log forwarding
2025-11-14 01:12:25 +00:00

3.0 KiB
Raw Blame History

Sensor Proxy Log Forwarding

Forward pulse-sensor-proxy logs to a central syslog/SIEM endpoint so audit records survive host loss and can drive alerting. Pulse ships a helper script (scripts/setup-log-forwarding.sh) that configures rsyslog to ship both audit.log and proxy.log over RELP + TLS.

Requirements

  • Debian/Ubuntu host with rsyslog and the imfile + omrelp modules (present by default).
  • Root privileges to install certificates and restart rsyslog.
  • TLS assets for the RELP connection:
    • ca.crt CA that issued the remote collector certificate.
    • client.crt / client.key mTLS credentials for this host.
  • Network access to the remote collector (REMOTE_HOST, default logs.pulse.example, port 6514).

Installation Steps

  1. Copy your CA and client certificates into a safe directory on the host (the script defaults to /etc/pulse/log-forwarding).
  2. Run the helper with environment overrides for your collector: 
    sudo REMOTE_HOST=logs.company.tld \
     REMOTE_PORT=6514 \
     CERT_DIR=/etc/pulse/log-forwarding \
     CA_CERT=/etc/pulse/log-forwarding/ca.crt \
     CLIENT_CERT=/etc/pulse/log-forwarding/pulse.crt \
     CLIENT_KEY=/etc/pulse/log-forwarding/pulse.key \
     /opt/pulse/scripts/setup-log-forwarding.sh
    The script writes /etc/rsyslog.d/pulse-sensor-proxy.conf, ensures the certificate directory exists (0750), and restarts rsyslog.

What the Script Configures

  • Two imfile inputs that watch /var/log/pulse/sensor-proxy/audit.log and /var/log/pulse/sensor-proxy/proxy.log with Tags pulse.audit and pulse.app.
  • A local mirror file at /var/log/pulse/sensor-proxy/forwarding.log so you can inspect rsyslog activity.
  • An RELP action with TLS, infinite retry (action.resumeRetryCount=-1), and a 50k message disk-backed queue to absorb collector outages.

Verification Checklist

  1. Confirm rsyslog picked up the new config: 
    sudo rsyslogd -N1
sudo systemctl status rsyslog --no-pager
  2. Tail the local mirror to ensure entries stream through: 
    sudo tail -f /var/log/pulse/sensor-proxy/forwarding.log
  3. On the collector side, filter for the pulse.audit tag and make sure new entries arrive. For Splunk/ELK, index on programname.
  4. Simulate a test event (e.g., restart pulse-sensor-proxy or deny a fake peer) and verify it appears remotely.

Maintenance

  • Certificate rotation: Replace the key/cert files, then restart rsyslog. Because the config points at static paths, no additional edits are required.
  • Disable forwarding: Remove /etc/rsyslog.d/pulse-sensor-proxy.conf and run sudo systemctl restart rsyslog. The local audit log remains untouched.
  • Queue monitoring: Track rsyslogs main log or use rsyslogd -N6 to check for queue overflows. At scale, scrape /var/log/pulse/sensor-proxy/forwarding.log for action resumed messages.

For rotation guidance on the underlying audit file, see operations/audit-log-rotation.md.