Ubuntu 22.

04 VPS Base Config

1. Prerequisites
1.1. Generate an SSH Key Pair
1.2. Choose an SSH Client
1.3. Choose a Hosting Provider
2. Build a New Server
3. Connect to Your Server
4. Install Updates
5. Create a Non-Root User
6. Grant New User Sudo Privileges
7. Grant New User SSH Access via PKI
8. Test New User SSH Access
9. Clean Up
10. Harden SSH Config
Install and Configure Google Authenticator
Configure PAM to use Google Authenticator
Enable Challenge-Response Authentication in SSH
11. Configure UFW
Allow OpenSSH
Enable UFW
12. Install & Configure Fail2Ban
Install Fail2Ban
Configure a Jail
13. Install & Configure ClamAV
Install ClamAV
Configure Daily Antivirus Scans
14. Install & Configure Sysmon
Register Microsoft Key & Feed
Registering the Microsoft Key
Adding the Microsoft Package Feed
Install Sysmon for Linux
Accept EULA & Run Installer With Default Config
Sysmon Configuration File

Ubuntu 22.04 VPS Base Config 1

 Create the Configuration File
Rebuild Sysmon With New Config
Configure Logging for Sysmon
Steps for Setting Up syslog for Sysmon
Summary

1. Prerequisites
1.1. Generate an SSH Key Pair

⚠️ NOTE: I choose to leverage Ed25519 keys instead of RSA. Not all hosting
providers support this, so if you’re using something other than Hetzner,
you may need to generate an RSA key pair instead.

1. For Windows:

Generate SSH Key Pair (Windows)

2. For macOS:

Generate SSH Key Pair (macOS)

1.2. Choose an SSH Client

SSH Clients are software applications that use Secure Shell to connect to a remote
system, providing a text-based command line interface to the remote system.
They are essential tools for system administrators and developers as they allow
for secure, remote operations on servers.

In this guide, I’ll be using my favorite SSH Client, Termius as it offers several
advantages. It supports SSH, Mosh, and Telnet protocol, making it versatile for
different tasks. It has a user-friendly interface, making it easy even for beginners
to establish secure connections. Furthermore, it has robust features like built-in
SFTP client, SSH key agent forwarding, and the ability to remember hosts and
servers, making repeated connections quicker and more efficient. Its multi-
platform support allows you to use it on different operating systems, ensuring

Ubuntu 22.04 VPS Base Config 2

 consistency of experience. I might also be a fan because they have a kickass
mobile app too 😎
1.3. Choose a Hosting Provider
For this guide, I’ll be using Hetzner Cloud. Save money by creating an account
using my referral link.

2. Build a New Server

⚠️ If you choose a different cloud hosting provider, please refer to their

documentation for creating a new Ubuntu 22.04 Virtual Private Server
(VPS). In this guide, I’ll continue with Hetzner Cloud.

1. Log in to Hetzner Cloud and create a New Project called Personal Website

2. On the left-hand menu, click on Security then Add SSH key

Toggle Screenshot

3. Paste your SSH Public Key and set it as the default key.

4. On the left-hand menu, click on Firewalls and then create a new one. Leave the
default inbound rules but give your firewall a sensical name before saving it. I
called mine web-standard

Ubuntu 22.04 VPS Base Config 3

 Toggle Screenshot

5. On the left-hand menu, click on Servers then create a new one.

a. Choose a location nearest you or your target audience.

b. For the Image select Ubuntu 22.04 under the OS Images section.

c. Select the x86 (Intel/AMD) option under the Shared vCPU Type

d. Choose a size based on your needs. It’s best to start with the
lowest/cheapest option since you can easily scale up the server later if
needed, so in this case CPX11 should work just fine.

e. Ensure you have both Public IPv4 and Public IPv6 checked for Networking.

f. For the SSH Keys portion, ensure you select the one you added to the
project.

g. Scroll down to Firewalls and select the firewall we created earlier.

h. It’s best to select the Backups option. This will eventually save you.

i. Scroll to the bottom and give you server a name.

j. Click on the Create & Buy now button and you’re all done.

3. Connect to Your Server

Ubuntu 22.04 VPS Base Config 4

 ⚠️ Things to consider if you’re using a different hosting provider or SSH
client:

1. Take note of the default username for the connection.

a. For Hetzner, this is root but for AWS it’s ubuntu

2. Confirm the type of authentication that is set up by default and the

type of SSH keys supported.

a. In this guide, I choose to leverage an Ed25519 key pair, but not all
hosting providers allow it.

b. Some hosting providers may set up password authentication for

SSH by default. If this is the case, I strongly recommend you find
a different hosting provider that cares about security.

If you’re following along with the tech stack I’ve chosen, then your connection
steps are:

Set Up SSH Connection in Termius

4. Install Updates
sudo apt update && sudo apt -y full-upgrade

5. Create a Non-Root User

Using a non-root user with sudo privileges is a best practice in server
management. This is because the root user has unlimited privileges and can
execute any command, even ones that can accidentally harm the system. By using
a non-root user with sudo privileges, you can execute administrative commands
while avoiding potential disasters. Furthermore, it adds an extra layer of security.

Ubuntu 22.04 VPS Base Config 5

 In case an attacker gains access to your user account, they would also need to
know your password to execute sudo commands.

sudo adduser newusername

6. Grant New User Sudo Privileges

Sudo, commonly pronounced as "sue-doo," is a program for Unix and Linux
operating systems that allows users to run programs with the security privileges
of another user (normally the root user). Its name is a contraction of "Super User
Do." This functionality is significant in system administration, as it allows users to
execute commands with elevated privileges, which are necessary for certain
administrative or system-level tasks. However, it also provides an additional layer
of security because it requires users to provide their own password to execute
these sudo commands.

⚠️ While there are multiple ways to grant a user sudo privileges, I am

demonstrating my preferred method is to create a user-specific file
inside the sudoers directory.

sudo visudo -f /etc/sudoers.d/newusername

Inside this file we’ll add the following contents then save & exit:

newusername ALL=(ALL:ALL) ALL

Ubuntu 22.04 VPS Base Config 6

 ⚠️ newusername

granted.
is the username for which the sudo privileges are being

The first occurrence of ALL signifies that this rule applies to all hosts.
If you had a network of computers using the same sudoers file, you
could restrict certain commands to specific hosts.

in these paratheses we can specify what users and groups

(ALL:ALL)

“newusername” is allowed to act as. The first ALL here means that
"newusername" can act as any user. The second ALL means that
"newusername" can act as any group. So, together, this means that
“newusername” can act as any user and any group.

The last ALL means that the "newusername" can run all commands.

7. Grant New User SSH Access via PKI

In the next step, we will be hardening our SSH configuration, so we need to
ensure that this new user we’ve created will be able to log in via SSH.

Ubuntu 22.04 VPS Base Config 7

 ⚠️ There are multiple ways to accomplish this next task, but the basic
requirements are that a user must have a .ssh/ directory within their
home directory, and within that, they’ll need a file named authorized_keys
which should contain the user’s public key(s).

The .ssh/authorized_keys file in a user's home directory is used by the

SSH daemon to check which public keys are authorized for public
key authentication.

Each line in this file corresponds to one public key and should be
formatted as <key-type> <base64-encoded-key> .

The permissions for the .ssh directory should be 700 (drwx------) , which
means that only the owner of the directory can read, write, and
execute files in that directory.

The permissions for the authorized_keys file should be 600 (-rw-------) ,

which means that only the owner can read and write this file.

sudo rsync --archive --chown=newusername:newusername ~/.ssh /home/newu

8. Test New User SSH Access

⚠️ If you’re using a different SSH Client than Termius, then try to ssh into
your server using the newusername along with the SSH Key you created
earlier.

If you’re following along with my preferred tech stack, then do the following:

1. Edit the identity you created previously in Termius and update the username.

2. Attempt to open a connection. You should be successfully logged in via SSH

as newusername

Ubuntu 22.04 VPS Base Config 8

 9. Clean Up
Since one of the ways that we will harden SSH later is by disabling root login, we
won’t be needing the .ssh/ directory and its authorized_keys file from the root user’s
home directory. This was created for us by Hetzner when we built the new server
and provided our SSH Public Key. As such, we can clean this up.

sudo rm -rf /root/.ssh

10. Harden SSH Config

Install and Configure Google Authenticator

⚠️ The libpam-google-authenticator module can be used to secure SSH with multi-

factor authentication (MFA). This adds an extra layer of security to your
server by requiring users to provide a second form of authentication – a
time-based one-time password (TOTP) – in addition to their SSH key.
TOTPs are generated by an MFA app on your smartphone. When a user
tries to log in to the server, they will need to enter the TOTP displayed on
their MFA app, which changes every 30 seconds. This means that even
if an attacker somehow gets hold of your SSH key, they will still be
unable to access your server without the TOTP.

While Google Authenticator is a popular choice for generating TOTPs, it

is not the only app capable of doing so. Any app that supports the TOTP
standard can be used with libpam-google-authenticator . This includes apps like
Authy, Yubico Authenticator, LastPass Authenticator, Microsoft
Authenticator, and others. This gives you the flexibility to choose the
MFA app that best suits your needs.

sudo apt install -y libpam-google-authenticator && google-authenticator

Ubuntu 22.04 VPS Base Config 9

 Scan the QR code using your preferred MFA App (I use Yubico Authenticator).

Save the emergency codes.

Follow the prompts to configure the authenticator.

Configure PAM to use Google Authenticator

Pluggable Authentication Modules, or PAM, is a flexible mechanism for
authenticating users. It's a suite of shared libraries that enable the local system
administrator to choose how applications authenticate users. In other words, PAM
provides a way to develop programs that are independent of authentication
scheme. These programs need "authentication modules" to be attachable to them
at run-time in order to work. Which authentication module is to be attached is
decided through the configuration file setup.

In the context of SSH, PAM can be used to integrate additional authentication

methods, such as one-time passwords or multi-factor authentication, into the SSH
authentication process. This can greatly enhance the security of SSH, making it
more difficult for unauthorized users to gain access. It's important to note that,
while PAM can be used with SSH, its use is not limited to SSH. PAM can be used
with virtually any application that authenticates users.
Use nano to modify the /etc/pam.d/sshd file. You can place this anywhere within the
file:

# Configure PAM to use Google Authenticator

auth required pam_google_authenticator.so

Enable Challenge-Response Authentication in SSH

Use nano to modify the /etc/ssh/sshd_config file. Ensure the following changes are
made:

PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication yes

Ubuntu 22.04 VPS Base Config 10

 💡 Since you modified a configuration file, you’ll need to start the service
associated with it in order for changes to take effect.

sudo systemctl restart ssh

11. Configure UFW

UFW, or Uncomplicated Firewall, is a user-friendly frontend for managing iptables
firewall rules. Its main purpose is to simplify the process of configuring a firewall
on your system. It provides a straightforward way to add and remove simple
firewall rules, and also supports more advanced features, such as connection rate
limiting. By configuring UFW, you can define which services and ports are
accessible, helping you secure your server against unwanted traffic and potential
attacks.

Allow OpenSSH

sudo ufw allow OpenSSH

Enable UFW

sudo ufw enable

12. Install & Configure Fail2Ban

Fail2Ban is a simple host-based intrusion prevention system (IPS). In the context
of securing our Ubuntu server's SSH service, this means that Fail2Ban provides an
additional layer of security by monitoring log files for any malicious activity. If it
detects any suspicious activity, such as multiple failed login attempts, it will

Ubuntu 22.04 VPS Base Config 11

 automatically modify firewall rules to block the IP addresses associated with this
activity.

Install Fail2Ban

sudo apt install -y fail2ban

Configure a Jail
Use nano to create /etc/fail2ban/jail.local and paste the following in it:

# Fail2Ban jail.local configuration for SSH protection

# [DEFAULT] section sets default values for all jails

[DEFAULT]
# List of IPs or networks to ignore (e.g., localhost)
ignoreip = 127.0.0.1/8
# Duration (in seconds) for which an IP will be banned
bantime = 3600
# Time window (in seconds) for counting failed attempts
findtime = 600
# Number of failed attempts allowed within the 'findtime' window
maxretry = 3

# [sshd] section defines a jail for the SSH service

[sshd]
# Enable this jail
enabled = true
# Port on which the SSH service is running (default is 22)
port = ssh
# Filter to use (defined in /etc/fail2ban/filter.d/sshd.conf)
filter = sshd
# Path to the log file monitored for failed SSH login attempts
logpath = /var/log/auth.log

Ubuntu 22.04 VPS Base Config 12

 # Action to take when banning an IP (using UFW in this case)
banaction = ufw

💡 Since you modified a configuration file, you’ll need to start the service
associated with it in order for changes to take effect.

NOTE: in this case, we are also enabling the service. In Linux, this means
that the service will start automatically after a reboot.

sudo systemctl restart fail2ban && sudo systemctl enable fail2ban

13. Install & Configure ClamAV

ClamAV is a popular open source antivirus engine that is widely used for detecting
trojans, viruses, malware, and other malicious threats on the server. It is
particularly effective for scanning email servers, as it has built-in support for
scanning emails. It also supports multiple file formats and multiple signature
languages. By installing ClamAV on our server, we can add an extra layer of
security to our system, protecting it from potential threats. Regularly scanning our
server with ClamAV helps to keep our system secure and running smoothly,
preventing unexpected down times and data loss caused by malware infection.

Install ClamAV

sudo apt -y install clamav clamav-daemon && sudo systemctl enable clamav-fres

Configure Daily Antivirus Scans

Ubuntu 22.04 VPS Base Config 13

 ⚠️ Cron jobs are scheduled tasks that are automatically run at fixed times,
dates, or intervals on a Unix-based system, such as Linux. These tasks
are usually system administrative jobs, such as backups or updates, but
can also be any script or command that needs to run on a regular basis.
The schedule for these tasks is defined in a cron table, or crontab. Each
user on a system can have their own crontab, and commands in any
given crontab will be executed as the user who owns the crontab.

Cron jobs are scheduled in the format of * * * * command , where each

asterisk can be replaced with a specific time or date value.

The first asterisk represents the minute value (0-59), the second
represents the hour value (0-23), the third represents the day of the
month value (1-31), the fourth represents the month value (1-12), and
the fifth represents the day of the week value (0-7 where both 0 and
7 represent Sunday).

If an asterisk is left in place, it represents all possible values for that

field. So, * * * * command would run the command every minute.

To edit the crontab for the current user, you can use the command
crontab -e . To view the current user's crontab, you can use crontab -l .

For beginners, crontab.guru is a great site to leverage when learning

to schedule cron jobs. It provides a simple and intuitive interface for
creating cron schedule expressions.

1. Use nano to create /etc/cron.daily/clamav_scan

a. This will be a Shell script which executes our Antivirus Scan.

b. Placing it in the cron.daily directory will run the script daily.

c. Paste the following value and save the file.

#!/bin/bash
/usr/bin/clamscan -r / --exclude-dir="^/sys" --exclude-dir="^/proc" --exclud

Ubuntu 22.04 VPS Base Config 14

 2. Ensure the script is executable:

sudo chmod +x /etc/cron.daily/clamav_scan

14. Install & Configure Sysmon

Sysmon, or System Monitor, is a powerful tool that provides detailed information
about process creations, network connections, and changes to file creation time.
By collecting and logging this data, Sysmon can help us understand how these
processes and patterns of activity affect the operation and performance of our
server.
Installing Sysmon on our server can provide several key benefits:

Process Tracking: Sysmon provides detailed tracking for process creation,

including the command line information for the process. This can help us
identify any suspicious or malicious activity.

Network Connection: Sysmon logs details about each network connection,

including source and destination IPs, port numbers, and the process that made
the connection. This can help us monitor the data flow in and out of our
server.

File Modification: Sysmon monitors and logs changes to file creation time.
This can be a key indicator of malicious activity, as some malware will attempt
to manipulate the timestamps of files.

By installing and properly configuring Sysmon on our server, we can gain a much
more detailed view of server activity, which can be invaluable in diagnosing
problems or identifying security threats.

Register Microsoft Key & Feed

Registering the Microsoft key and feed is a necessary step to enable your Linux
system to download and install packages from Microsoft repositories. This
process involves two main actions:

Registering the Microsoft Key

Ubuntu 22.04 VPS Base Config 15

 Linux package management systems (like apt on Ubuntu) use GPG keys to verify
the integrity and authenticity of the packages. By registering the Microsoft key,
you ensure that packages downloaded from the Microsoft repository can be
verified against this key, confirming they haven't been tampered with.

Adding the Microsoft Package Feed

This action involves adding Microsoft's package repository to your system's list of
package sources. The package feed (repository) is where the system will look to
find packages for installation and updates. Adding this feed ensures that your
system can find and install the Sysmon package and other Microsoft-provided
packages.

wget -q https://packages.microsoft.com/config/ubuntu/$(lsb_release -rs)/packag

Install Sysmon for Linux

sudo apt update && sudo apt install -y sysmonforlinux

💡 While the command technically “installs” the Sysmon binary, the process
& service haven’t been executed yet, so Sysmon is not yet running on
our system.

Accept EULA & Run Installer With Default Config

We need to accept the End User License Agreement (EULA) and run the installer
so that it creates required directories and files. Keep in mind that this will have
everything running, but Sysmon will not be configured to monitor anything yet.
We’ll take care of that in a bit.

sysmon -accepteula -i

Sysmon Configuration File

Ubuntu 22.04 VPS Base Config 16

 Now that we’ve accepted the EULA and run the installer, we should have a new
directory created. This is where Sysmon will live and operate from ( /opt/sysmon/ ).
We can now create a configuration file and rebuild Sysmon with it.

Create the Configuration File

Use Nano to create the file /opt/sysmon/sysmon-config.xml and paste the following
contents in it.

nano /opt/sysmon/sysmon-config.xml

Toggle Config File

<Sysmon schemaversion="4.81">
<EventFiltering>
<!-- Capture all process creation events -->
<ProcessCreate onmatch="include">
<Rule name="ProcessCreation">
<Image condition="contains">/bin/</Image>
<Image condition="contains">/usr/bin/</Image>
<Image condition="contains">/sbin/</Image>
<Image condition="contains">/usr/sbin/</Image>
</Rule>
</ProcessCreate>

<!-- Capture process termination events -->

<ProcessTerminate onmatch="include">
<Rule name="ProcessTermination">
<Image condition="contains">/bin/</Image>
<Image condition="contains">/usr/bin/</Image>
<Image condition="contains">/sbin/</Image>
<Image condition="contains">/usr/sbin/</Image>
</Rule>
</ProcessTerminate>

<!-- Capture file creation events -->

Ubuntu 22.04 VPS Base Config 17

 <FileCreate onmatch="include">
<Rule name="FileCreation">
<Image condition="contains">/bin/</Image>
<Image condition="contains">/usr/bin/</Image>
<Image condition="contains">/sbin/</Image>
<Image condition="contains">/usr/sbin/</Image>
</Rule>
</FileCreate>

<!-- Capture network connection events -->

<NetworkConnect onmatch="include">
<Rule name="NetworkConnections">
<Image condition="contains">/bin/</Image>
<Image condition="contains">/usr/bin/</Image>
<Image condition="contains">/sbin/</Image>
<Image condition="contains">/usr/sbin/</Image>
</Rule>
</NetworkConnect>

<!-- Capture raw read access events (indicative of low-level system acces
<RawAccessRead onmatch="include">
<Rule name="RawAccessRead">
<Image condition="contains">/bin/</Image>
<Image condition="contains">/usr/bin/</Image>
<Image condition="contains">/sbin/</Image>
<Image condition="contains">/usr/sbin/</Image>
</Rule>
</RawAccessRead>

<!-- Capture process access events -->

<ProcessAccess onmatch="include">
<Rule name="ProcessAccess">
<SourceImage condition="contains">/bin/</SourceImage>
<SourceImage condition="contains">/usr/bin/</SourceImage>
<SourceImage condition="contains">/sbin/</SourceImage>
<SourceImage condition="contains">/usr/sbin/</SourceImage>

Ubuntu 22.04 VPS Base Config 18

 </Rule>
</ProcessAccess>

<!-- Capture file delete events -->

<FileDelete onmatch="include">
<Rule name="FileDeletion">
<Image condition="contains">/bin/</Image>
<Image condition="contains">/usr/bin/</Image>
<Image condition="contains">/sbin/</Image>
<Image condition="contains">/usr/sbin/</Image>
</Rule>
</FileDelete>
</EventFiltering>
</Sysmon>

Rebuild Sysmon With New Config

sysmon -accepteula -c /opt/sysmon/sysmon-config.xml

Configure Logging for Sysmon

Ubuntu 22.04 VPS Base Config 19

 ⚠️ Why Give syslog Ownership of sysmon.log?

1. syslog's Role in Logging:

syslog is a system service responsible for collecting and storing

log messages generated by various applications and services on
a Linux system.

It operates with its own user and group ( syslog ) to manage log
files securely and consistently.

2. File Ownership:

When we set up a new log file for Sysmon, such as

/var/log/sysmon/sysmon.log , we need to ensure that syslog can write to

it.

By setting the ownership of the log file to syslog:syslog , we ensure

that the syslog service has the necessary permissions to write
log entries to this file.

3. Security and Access Control:

Changing ownership to syslog:syslog prevents unauthorized users

from tampering with the log files.

It ensures that only the syslog service, which is trusted and runs
with appropriate privileges, can write to these logs.

Why Configure syslog for Sysmon?

1. Separation of Concerns:

Sysmon (System Monitor) is responsible for generating detailed

system activity logs, such as process creation, network
connections, and file changes.

syslog, on the other hand, is responsible for collecting, storing,

and managing these logs in a centralized location.

Ubuntu 22.04 VPS Base Config 20

 2. Log Routing:

Configuring syslog to handle Sysmon logs ensures that all log

entries generated by Sysmon are collected and stored
consistently with other system logs.

This makes it easier to manage and analyze logs from different

sources in a unified manner.

3. System Compatibility:

By using syslog, which is a standard logging system on Linux, we

can leverage existing infrastructure for log management,
analysis, and forwarding to other systems (e.g., Splunk).

It avoids the need for custom solutions or additional services to

handle the log files.

Steps for Setting Up syslog for Sysmon

1. Create the Log Directory and File:
Ensure the log directory exists and create the log file:

💡 The -p flag in the mkdir command stands for "parents". It allows

the creation of nested directories in a single command, even if
some or all of the parent directories don't exist yet. If the
directories already exist, mkdir -p will not return an error, making it
a useful option for scripts.

sudo mkdir -p /var/log/sysmon && sudo touch /var/log/sysmon/sysmo

n.log

2. Change Ownership:
Change the ownership of the log file to syslog:

Ubuntu 22.04 VPS Base Config 21

 💡 The -R option in the chown command stands for "recursive". It is
used when you want to change the owner of a directory and all
the files and subdirectories within it. Without the -R option, the
chown command would only change the ownership of the

directory itself, leaving the ownership of files and subdirectories

within it unchanged.

sudo chown -R syslog:syslog /var/log/sysmon

3. Set Permissions:
Set appropriate permissions to allow syslog to write to the log file:

sudo chmod 644 /var/log/sysmon/sysmon.log

4. Configure syslog:
Create a new syslog configuration file to direct Sysmon logs to the correct file:

sudo nano /etc/rsyslog.d/30-sysmon.conf

Ubuntu 22.04 VPS Base Config 22

 💡 The configuration file, /etc/rsyslog.d/30-sysmon.conf , is created to direct
the Sysmon logs to the correct file. The syslog service uses this
configuration file to determine where Sysmon logs should be
stored.

The number 30 in the filename is used to set the order in which

the configuration files are loaded. Files in the /etc/rsyslog.d/
directory are loaded by rsyslog in ASCII order. Therefore, by
prefixing the filename with 30, we can control the load order to
ensure that the Sysmon configuration is loaded at the appropriate
time in relation to other configuration files. If there are
dependencies or specific load order requirements among multiple
configuration files, the numbering scheme helps manage this
order.

Add the following lines to ensure syslog captures Sysmon logs:

if $programname == 'sysmon' then /var/log/sysmon/sysmon.log

& stop

Ubuntu 22.04 VPS Base Config 23

 💡 This is a configuration line written in Rsyslog config language.
Here's a breakdown of what it does:

: This is a condition that checks if the

if $programname == 'sysmon'

name of the program that generated the log message is

'sysmon'. The $programname is a property in Rsyslog that
contains the name of the program/app that originated the log
message. If the program name is indeed 'sysmon', then the
subsequent action is carried out.

: If the condition is true (i.e., the log

then /var/log/sysmon/sysmon.log

message came from 'sysmon'), then the log message is

written into the /var/log/sysmon/sysmon.log file. This is the action
that is executed when the condition is met.

& stop : The '&' character here is a continuation marker that

links it to the previous line, meaning that if the previous
condition was met, it should also perform this action. The
'stop' action means that once the log message has been
written into the 'sysmon.log' file, Rsyslog should stop
processing this message. No further rules will be processed,
and the message will not be written to any other logs. This is
useful for preventing duplicate log entries in different files.

So, in summary, this line in the configuration tells Rsyslog to write

all log messages from 'sysmon' into a specific log file
( /var/log/sysmon/sysmon.log ), and then stop processing the message.

5. Restart syslog:
Restart the syslog service to apply the changes:

sudo systemctl restart rsyslog

Summary
By giving syslog ownership of the sysmon.log directory and file, we ensure that the
syslog service can properly manage and write to the log files. Configuring syslog

Ubuntu 22.04 VPS Base Config 24

 to handle Sysmon logs integrates Sysmon’s detailed system activity logs into the
existing centralized logging infrastructure. This setup improves security,
consistency, and ease of log management, making it easier to analyze and
respond to system events and potential security incidents.

Ubuntu 22.04 VPS Base Config 25