Forward Logs to SIEM via Fluentd
Overview
Complete the following steps during a scheduled downtime window or support call, in case the service restart causes any issues.
Refer to Forward Logs to Syslog Servers and SIEM Solutions for the required configuration (stanza) details.
IMPORTANT: Before starting, confirm the host (FQDN or IP), port number, and protocol for your SIEM. Once these three values are confirmed, the update typically takes around 30 minutes in a scheduled window to complete.
Instructions
-
SSH into the server running Privilege Secure Discovery using an account with sudo access.
-
Back up the current configuration file:
sudo cp -v /secureone/conf/fluentd/fluent.conf /secureone/conf/fluentd/fluent.conf-$(date '+%Y-%m-%dT%H_%M_%S')
- Check the current IP/hostname, port, and protocol:
sudo grep -C4 host /secureone/conf/fluentd/fluent.conf
NOTE: If the above command returns no results, review the full file to confirm the required entries exist:
- Update the IP/hostname, port(s), and protocol using a text editor (vi, vim, or nano). Example:
sudo vim /secureone/conf/fluentd/fluent.conf
-
Recheck that the file was updated and saved correctly by repeating step 3.
-
Restart the fluentd service:
s1 restart fluentd
- Confirm logs are flowing correctly:
sudo docker service logs --tail 50 --follow s1_fluentd
- Validate that the configuration loaded successfully:
sudo docker exec -it $(sudo docker ps | grep fluentd | cut -d' ' -f1) fluentd -c /fluentd/etc/fluent.conf --dry-run
Validation Notes
- No red lines should appear in the output.
- Green indicates successfully loaded.
- Yellow indicates warnings.
- Red indicates failure to load.