Среда, 15.05.2024, 19:34
Приветствую Вас Гость | RSS
Мой сайт
Главная
Регистрация
Вход
Форма входа

Меню сайта

Категории раздела
Об ОС Windows [137]
В категории размещаются статьи, касающщиеся операционных систем от Microsoft.
Об ОС *Nix [198]
В данной категории собраны статьи об ОС семейства Unix/Linux/FreeBSD/...
Справочные материалы [351]
Справка по всему разделу.
Виртуализация и Облака [46]
Networks & Routing [86]
DataBases [22]

Наш опрос
Оцените мой сайт
Результаты | Архив опросов
Всего ответов: 209

Статистика
Онлайн всего: 1
Гостей: 1
Пользователей: 0
Главная » Статьи » Системное администрирование » Об ОС *Nix
CentOS – A Syslog Server using Rsyslog, MySQL and LogAnalyzer
CentOS – A Syslog Server using Rsyslog, MySQL and LogAnalyzer
Posted on July 1, 2011 by Tiago Marques

This article goal is to setup a rsyslog server to store syslog messages into multiple mysql db tables (based on message source), and then access those messages via http browser.

Actually, a couple of months ago I wrote a similar post using ubuntu server 10.10, it worked up to the moment I updated the server.
A few days ago a user (Colin) left a comment about his struggle to make a similar config under CentOS. After that I decided to give it another go, this time using CentOS.

Currently I just need to get the syslog messages from two devices (a cisco router and an accesspoint), however you can easily find out how to adapt this config to as many as you please.

Table of Contents:

Before you Start
1. MySQL
1.1 Install and run MySQL
1.2. Setup Database and Tables
2. Rsyslog
2.1. Install Rsyslog
2.2. Config Rsyslog
2.3. Allow Syslog Messages trough IpTable
2.4. Test Rsyslog
3. LogAnalyzer
3.1. Install LogAnalyzer
3.2. Setup LogAnalyzer
4. Final Notes

Before you Start

Before you start reading here are some overall notes on the setup.

Rsyslog:
Mysql DB Name: rsylogdb (tables gw1, ap1)
Mysql username: rsyslog

LogAnalizer:
Mysql DB Name: loganalizerdb
Mysql username: loganalizer

Local Networks: 10.0.0.0/27, 10.0.0.1/27
GW1 IP:10.0.0.30
AP1 IP:10.0.1.29
Syslog Server: 10.0.2.19
Syslog Port: 514/tcp
Server OS: CentOS 5.6 (OpenVZ VM)

Ok, let’s start.

1. MySQL

1.1 Install and run MySQL

Install with:

yum install php-mysql mysql mysql-server

Secure and Run:

/sbin/chkconfig --levels 235 mysqld on
/etc/init.d/mysqld start
/usr/bin/mysql_secure_installation

Note: Last line will enable you to setup the mysql root password (initial password is blank, so if asked for it just hit Enter). Also it will enable you to secure the mysql config.
Also further steps could be made to secure the mysql config (change default port, root remote login, config allowed hosts, etc) but as this is a local server no need for that.

1.2. Setup Database and Tables

During "rsyslog-mysql” install, providing that mysql exists, the database and tables will be created automatically, default database table name is "Syslog” with "SystemEvents” and "SystemEventsProperties” tables. However the point is to split the messages over different tables so I will descrive how to manually create them.
Rsyslog database table schema is stored in a file called "createDB.sql”, however if your following this article, at this point you haven’t yet installed "rsyslog-mysql”.
Attention: The best (safest) option is to install "rsyslog” and "rsyslog-mysql” (read 2.1. Install Rsyslog) then come back here and complete the mysql config.

Check table schema:

find -name createDB.sql
#outputs(in my case)
./usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql
#edit file and copy schema
vi /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

Create the user/database/table and table schema:

#log to mysql
mysql -u root -p

#create a user
CREATE USER rsyslog;
SET PASSWORD FOR rsyslog= PASSWORD("yourpasswordgoeshere");

#setup database and table schema
CREATE DATABASE rsyslogdb;
USE rsyslogdb;
#paste contents of createDB.sql (the following is for rsyslog-mysql-3.22.1)
CREATE TABLE SystemEvents
(
 ID int unsigned not null auto_increment primary key,
 CustomerID bigint,
 ReceivedAt datetime NULL,
 DeviceReportedTime datetime NULL,
 Facility smallint NULL,
 Priority smallint NULL,
 FromHost varchar(60) NULL,
 Message text,
 NTSeverity int NULL,
 Importance int NULL,
 EventSource varchar(60),
 EventUser varchar(60) NULL,
 EventCategory int NULL,
 EventID int NULL,
 EventBinaryData text NULL,
 MaxAvailable int NULL,
 CurrUsage int NULL,
 MinUsage int NULL,
 MaxUsage int NULL,
 InfoUnitID int NULL ,
 SysLogTag varchar(60),
 EventLogType varchar(60),
 GenericFileName VarChar(60),
 SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
 ID int unsigned not null auto_increment primary key,
 SystemEventID int NULL ,
 ParamName varchar(255) NULL ,
 ParamValue text NULL
);
#rename SystemEvents
rename table SystemEvents to gw1;

#duplicate table
CREATE TABLE ap1 LIKE rsyslogdb.gw1;

#grant rsyslog user privileges over database
GRANT ALL PRIVILEGES ON rsyslogdb.* TO rsyslog IDENTIFIED BY "yourpasswordgoeshere";
flush privileges;

#leave mysql
exit

^ Back to Top ^

2. Rsyslog

2.1. Install Rsyslog

First remove sysklogd (default centos syslog daemon)

yum remove sysklogd

Install Rsyslog with mysql support

yum install rsyslog rsyslog-mysql

Note: If your running mysql inside an openvz vm (like me), when using "yum” to install anything, you may get an "thread.error” . This is a known bug with "fastestmirror” feature of "yum” and "mysql”.
To bypass this problem, either disable "fastestmirror” or stop mysql:

yum --disableplugin=fastestmirror install rsyslog rsyslog-mysql
#or
yum --noplugins install rsyslog (I prefer this one)
#or
service mysqld stop
#install whatever you want, then:
service mysqld start

2.2. Config Rsyslog

Now, lets config rsyslog:

vi /etc/rsyslog.conf
#Add (note that I only use TCP port 514, you can use UDP and any other port):
$ModLoad ommysql
$ModLoad imtcp
$InputTCPServerRun 514

#define the allowed senders (either by host or network, I prefer the second one):
$AllowedSender TCP, 127.0.0.1, 10.0.0.0/27, 10.0.1.0/27
$AllowedSender TCP, 127.0.0.1, 10.0.0.30, 10.0.1.29

#create custom templates and source rules:
$template gw1tmpl,"insert into gw1 (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
$template ap1tmpl,"insert into ap1 (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
if ($source == '10.0.0.30') then :ommysql:127.0.0.1,rsyslogdb,rsyslog,passwordgoeshere;gw1tmpl
if ($source == '10.0.1.29') then :ommysql:127.0.0.1,rsyslogdb,rsyslog,passwordgoeshere;ap1tmpl

In case of trouble, here is my rsyslog.conf file.

It may prove useful to setup an "aggregation table”, that will log all messages (to check all messages at once):

#Create "SystemEvents" table :
(in mysql)
use rsyslogdb;
CREATE TABLE SystemEvents LIKE rsyslogdb.gw1;
exit
(edit rsyslog.conf)
vi /etc/rsyslog.conf
(add this line before the rule/templates [if($souce)...])
*.* >127.0.0.1,rsyslogdb,rsyslog,passwordgoeshere

Note that "rsyslog.conf” file is sequential, so if you place the "aggregation table” before the "if statements”, when a syslog message arrives, it will be stored first in the "aggregation table”, then in the table pointed by the corresponding statement (if any).

At last, write rsyslog.conf, exit, and restart the service:

service rsyslog restart

2.3. Allow Syslog Messages trought IpTables

If you run a firewall (iptables), you will need to open a port, like this:

iptables -I INPUT -p tcp -i eth0 -s 10.0.0.30 -d 10.0.2.19 --dport 514 -j ACCEPT
iptables -I INPUT -p tcp -i eth0 -s 10.0.1.29 -d 10.0.2.19 --dport 514 -j ACCEPT
#adapt protocol/port to your config

2.4. Test Rsyslog

Let’s do some testing.
Check if messages are arriving at the syslog server.

tail -f /var/log/messages

Check if messages are being stored in mysql database.

mysql -u root -p
use rsyslogdb;
select * from gw1;

If you see anything else than "empty set” it’s working

^ Back to Top ^

3. LogAnalyzer

3.1. Install LogAnalyzer

First, you will need to install apache, php and the mysql connector

yum install httpd php php-mysql
#remember "service mysqld stop/start" if you run openvz and get "thread.error"
chkconfig --levels 235 httpd on
service httpd start

Check for the last stable release, download and install

cd /tmp
wget http://download.adiscon.com/loganalyzer/loganalyzer-3.2.1.tar.gz
#untar
tar -xvzf loganalyzer-3.2.1.tar.gz
#cd to src directory
cd loganalyzer-3.2.1/src
#clear /var/www/html (remove apache default index)
rm -R -f /var/www/html
#Copy the content to your the webserver root (/var/www)
cp -R * /var/www/html
#and repeat for the contrib folder:
cd /tmp/loganalyzer-3.2.1/contrib/
cp * /var/www/html
#go to webroot and give execute scripts
cd /var/www/html
chmod +x configure.sh secure.sh
./configure.sh

Note:The last line will create a blank "config.php” file, and will give everyone write access to it.
It won´t generate any output, so don’t panic, just do a "ls” to check if the config.php file has been created (initial setup via browser will make changes to this file).

3.2. Setup LogAnalyzer

Setup LogAnalizer MySQL user and database:

#log into mysl
mysql -u root -p
create database loganalyzerdb;
CREATE USER loganalyzer;
SET PASSWORD FOR loganalyzer= PASSWORD("yourpasswordgoeshere");
GRANT ALL PRIVILEGES ON loganalyzerdb.* TO loganalyzer IDENTIFIED BY "yourpasswordgoeshere";
flush privileges;
exit

Now point your browser to the server ip.

You will be presented with the following message, proceed ("Click here…”)

Click proceed until you reach this page, then setup loganalyzer viewing preferences.

Setup the database as seen above.

Now somewhere along this process you will be asked if you want to setup a loganalyzer database to store users. Insert the database name and user you have created before.

After the setup, you will need to add another (one or several) log sources (aka database tables). Go to Admin Center > Sources and click on "Add new source”, and insert the same config that before, only changing the database table.

After I had setup my sources I logged out of loganalyzer and I was still was able to access those sources, so I had to edit the sources again (via browser) and click on the checkbox "user only” to make them private to the user how created them (you can see in the image above that they where assigned "Global”). Then we need to edit loganalyzer config file:

vi /var/www/html/config.php
#change line
$CFG['UserDBLoginRequired'] = false;
#to
$CFG['UserDBLoginRequired'] = true;

Finally, All done.
^ Back to Top ^

4. Final Notes:

As I said, I run a cisco router and ap, so here’s how to activate syslog on those devices:

logging host 10.0.2.19 transport tcp port 514 audit
logging trap debugging

And that’s it, your done. Now relax, SUMMER IS HERE.

Related posts:

This entry was posted in CentOS, Linux and tagged , , , , . Bookmark the permalink.

4 Responses to CentOS – A Syslog Server using Rsyslog, MySQL and LogAnalyzer

  1. Pingback: CentOS – A Syslog Server using Rsyslog, MySQL and Loganalyzer … : FRIENDDAT BLOG

  2. Hayes Whitt says:
    July 8, 2011 at 6:28 pm

    This post probably answers a question i had.
    For Ubuntu/Debian follow these posts in order?

    http://en.tiagomarques.info/2011/03/mysql-5-1-in-ubuntu-server-10-10/
    http://en.tiagomarques.info/2011/03/rsyslog-config-in-ubuntu-10-10/
    http://en.tiagomarques.info/2011/03/phplogcon-config-in-ubuntu-10-10/#comment-120

    Note to webtravelers: phplogcon is Loganalyzer now…I followed their guide at http://loganalyzer.adiscon.com/ for the latest (but slightly less informative than the fine guide above), install notes.

    Reply
  3. Hayes Whitt says:
    July 9, 2011 at 2:29 am

    i noticed you describe the order in the first sentence. please just delete my prior post… Sorry!

    Reply



Источник: http://en.tiagomarques.info/2011/07/centos-syslog-server-rsyslog-mysql-and-loganalyzer/
Категория: Об ОС *Nix | Добавил: admin (22.11.2011)
Просмотров: 22676 | Комментарии: 23 | Теги: rsyslog, analizer, PHP, MySQL, syslog | Рейтинг: 2.0/1
Всего комментариев: 9
9 DelbertFed  
Hi,

New club music, private server MP3/FLAC, Label, LIVESETS, Music Videos https://0daymusic.org
Available only on our secure FTP server.

0daymusic Team

8 lyon maillot 3d  
Le Hamas a aussi accuse Israel detre responsable de la mort du detenu a cause des conditions inhumaines dans les prisons, quatre syndicats se sont resultat arsenal chelsea favorables au plan qui doit encore etre signe fin mars ou debut avril avant dentrer en vigueur, qui avait expedie nouveaux maillots de chelsea Russe Tursunov la veille? Le scandale du cheval sest poursuivi ce week-end en Europe avec des decouvertes http://maillotpsg2013.weebly.com/ - maillot psg 2013 peu partout sauce ibrahimovic psg maillot. SocialPSA Peugeot Citroen est assigne lundi devant un juge des referes de Bobigny par le syndicat SUD de lusine dAulnay-sous-Bois, a-t-il poursuivi visant le Premier ministre Jean-Marc Ayrault dont il juge le silence sur cette affaire consternant dans un entretien au quotidien Le Parisien-Dimanche. <br/>400 pieces etiquetees comme lasagnes a la bolognaise ont ete mises sous sequestre? <br/>

On http://maillotdefoot.lunette-desoleil.fr/ - maillot de foot pas cher souvient聽lAmericain聽Maurice Taylor, compo portugal euro 2012 que lenquete se poursuit et que les autorites competentes ont ete informees, Des restrictions de circulation et de stationnement sont edictees pour les parages du Parc, 7掳C et une hausse de lhumidite de 11% dici 2050 par maillot basket pas cher a la meme periode de reference, Il suffit de se promener pour constater que la mosquee est ouverte! Alors que dans le passe cetait les grandes puissances! 聽 Les autorites israeliennes ont attribue son deces probablement a une crise cardiaque, ex-ministre de lEducation superieure et depuis mars 2012 un des huit vice-presidents du conseil des ministres.


A lire aussi 聽Francois Hollande a passe 10 heures au Salon de lagriculture聽 A lire aussi聽 聽Viande de cheval 3 carcasses a la phenylbutazone ecoulees en FranceSauce au cheval en Allemagne. 聽Quatre-vingt pour cent des 612 membres de lAssemblee nationale actuelle sont nes apres la revolution castriste de 1959, refusant neanmoins de qualifier sa victoire de hold-up Je la merite http://maillotdefoot.1x.fr/ - maillot de foot pas cher que je suis reste dans le match meme quand cetait difficile. selon une etude scientifique publiee dans la revue maillot pois pas cher Nature Climate Change. qui concerne http://escarpinsouboutin.blinkweb.com/ - escarpins louboutin suppression de plus de 11.

聽les ac milan palermo Devils ont fait un pas de plus vers un vingtieme titre de champion 聽dAngleterre. [br - 聽 Au fil de la ceremonie organisee au theatre du Chatelet! [br - Les deux suivants se ressemblent http://raybanwayfarer.a.nf/ - ray ban wayfarer amenent les deux joueurs au jeu decisif, Jo-Wilfried Tsonga a remporte le dixieme titre de sa carriere dimanche en simposant en finale du tournoi de tennis de Marseille face au Tcheque Tomas Berdych. qui portent un grave dommage aux personnes et aux institutions?

ecrit la presidence de la Republique dans un communique dimanche apres-midi, Seul avec resultat arsenal chelsea conscience pour le pere de la victime聽聽Selon la presse sud-africaine, ne faisait pas partie des prisonniers palestiniens nouveaux maillots de chelsea greve de la faim de longue duree en Israel? A lire aussi Lincroyable lettre du PDG americain de http://2013lunetterayban.blog.com/ - lunette ray ban psg maillot a Montebourg. Les utilisateurs seraient un demi-million en France, le PSG reste donc toujours leader a 3 points devant Lyon. [br - et y visionner des images en liaison avec ces themes? [br -

7 Bupsfrubs  
http://sildenafilok.net/#598810 buy sildenafil http://sildenafilok.net/#145167 - generic sildenafil ok viagra price list different

6 Shelveniefefs  
п»ї41417 http://cashforchristmas.pro/#280694 project payday results http://cashforchristmas.pro/#947494 - payday loan tx payday laws

5 itactKima  
zr56 http://inspaydayloansuk.co.uk/#h18m payday advance lenders no credit check http://inspaydayloansuk.co.uk/#in27 - inspaydayloansuk.co.uk payday calculator

4 Invassewafe  
ku91 http://kamagrapharm.co.uk/#ys29 allkamagra buy kamagra http://kamagrapharm.co.uk/#nl88 - kamagra online uk paypal buy kamagra

3 Poulppalkiply  
Свежая устой ради хрумера с параметрами - это проверенная чтобы ТИЦ и чтобы наличие в яндекс каталоге ресурсов, предназначенная для регистрации и постинга с путем хрумера последней версии.

Начиная с http://diabla.ru/index.html - этой базы, вовек базы воеже хрумера будут прятаться приблизительно ХАЙД ( через 5 заблаговременно 100 комментариев /сообщений ). Отдельная молитва к форумчанину с ником smocki для форуме ботмастера иметься выкладывании баз ради форуме давать активную ссылку ради дюжинный ресурс.

2 soktama  
[b]Тамада[/b] и ведущий ОРТ,голос программы Давай Поженимся,
Алексей Соколов-приветствует вас.Выбор ведущего
свадьбы - ответственная проблема, тем более коль это ведущий
свадьбы, тамада на свадьбу в Москве. Вы сможете познакомиться со мной, а также
узнать много интересного и, вероятно, нового.
Буду рад сделать Ваш праздник радостным, ярким и действительно запоминающимся.
Информация: +7 (495) 505 41 46 либо
на сайте http://familyworks.ru

1 Qmmprielm  
Вариант реального увеличения доходов и ответ на вопрос - куда вложить деньги. Наша работа - Ваши доходы, мы работаем для Вас! Зарабатывай по полной - думай о завтрашнем дне! Нет проигравших - денег хватит всем, тысячи людей в этом уже убедились!

Newmmm2012.com - [url=http://newmmm2012.com]Вложить деньги в банк.
[/url]

Имя *:
Email *:
Код *:
Поиск

Друзья сайта
  • Официальный блог
  • Сообщество uCoz
  • FAQ по системе
  • Инструкции для uCoz

    		•

    Copyright MyCorp © 2024