How to configure Centralized log server using rsyslog and loganalyzer

Centralized log server using rsyslog and loganalyzer

Rsyslog server details:-

Operating system: RHEL 6.7
IP Address:  172.66.249.4
Hostname:-  logserver.example.com

Rsyslog Client details:-

Operating system: RHEL 6.7
IP Address: 172.66.249.5
Hostname: client.example.com

Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using TCP for transport.
It will be very helpful for Linux administrators to view and troubleshoot errors if something went wrong. In this tutorial let us see how to install and configure Rsyslog and graphical front-end for rsyslog called LogAnalyser and also how to forward logs from the client systems to the Rsyslog server.

Prerequisites:

1) You have to install LAMP [Linux, Apache, Mysql, Php]
[root@logserver ~]# yum install httpd mysql* php* -y

[root@logserver ~]# /etc/init.d/mysqld start

Initializing MySQL database:  Installing MySQL system tables...
OK
Filling help tables...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system

PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:

/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h logserver.example.com password 'new-password'

Alternatively you can run:
/usr/bin/mysql_secure_installation

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the manual for more instructions.

You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &

You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl

Please report any problems with the /usr/bin/mysqlbug script!

                                                           [  OK  ]
Starting mysqld:                                           [  OK  ]
[root@logserver ~]# /etc/init.d/mysqld status
mysqld (pid  2869) is running...

[root@logserver ~]# chkconfig mysqld --list
mysqld          0:off   1:off   2:off   3:off   4:off   5:off   6:off
[root@logserver ~]# chkconfig mysqld on


[root@logserver ~]# /usr/bin/mysql_secure_installation




NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!


In order to log into MySQL to secure it, we'll need the current
password for the root user.  If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none):
OK, successfully used password, moving on...

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] Y
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] Y
 ... Success!

By default, MySQL comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] Y
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] Y
 ... Success!

Cleaning up...



All done!  If you've completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

[root@logserver ~]# /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]
[root@logserver ~]# chkconfig httpd on
Start Rsyslog Installation in logserver:
[root@logserver ~]# yum install rsyslog-* -y

[root@logserver ~]# service rsyslog start

[root@logserver ~]# chkconfig rsyslog on
Import rsyslog database and tables to mysql db, so Edit file ‘/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql’ file,
# vim /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
Set the database name as shown below. Here i am using ‘logserverdb’ as my database name.
CREATE DATABASE logserverdb;
USE logserverdb;
CREATE TABLE SystemEvents
(
[...]
Now import the database tables into MySQL using command:-
# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql

Now let us check the ‘rsyslogdb’ database is properly imported into mysql and Set ‘rsysloguser’ user privileges over database:
[root@logserver ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.1.73 Source distribution

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| logserverdb        |
| mysql              |
+--------------------+
3 rows in set (0.00 sec)

mysql> GRANT ALL ON logserverdb.* TO loguser@localhost IDENTIFIED BY 'loguser123';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye

edit the rsyslog config file,
[root@logserver ~]# vim /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by rklogd)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception

## uncomment ##
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
## Uncomment ##
$ModLoad imtcp
$InputTCPServerRun 514

## Add the following lines ##
$ModLoad ommysql
$ModLoad ommysql
*.* :ommysql:127.0.0.1,logserverdb,loguser,loguser123
$AllowedSender UDP, 127.0.0.1, 172.66.0.0/16
$AllowedSender TCP, 127.0.0.1, 172.66.0.0/16
Database name:- logserverdb
Database user:- loguser
rsyslog user password- loguser123
rsyslog accepts logs from clients on both UDP and TCP ports-$AllowedSender

Disable all existing syslog services if any.
[root@logserver ~]# service syslog stop
[root@logserver ~]# chkconfig syslog off

Install LogAnalyzer:

[root@logserver ~]# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.6.tar.g
[root@logserver ~]# tar zxvf loganalyzer-3.6.6.tar.gz
[root@logserver ~]# mv loganalyzer-3.6.6/src/ /var/www/html/loganalyzer
[root@logserver ~]# mv loganalyzer-3.6.6/contrib/* /var/www/html/loganalyzer/
[root@logserver ~]# cd /var/www/html/loganalyzer/
[root@logserver ~]# chmod +x configure.sh secure.sh

[root@logserver ~]# ./configure.sh

ADJUST IPTABLES:

[root@logserver ~]# iptables -A INPUT -p udp  --dport 514 -j ACCEPT
[root@logserver ~]# service iptables save
[root@logserver ~]# service iptables restart
[root@logserver ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Aug 25 08:54:57 2015
*filter
:INPUT ACCEPT [46:3684]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2576]
-A INPUT -p tcp -m tcp --dport 514 -j ACCEPT
COMMIT

Disable SELINUX:

Edit file /etc/sysconfig/selinux file
# vim /etc/sysconfig/selinux
Change SELINUX=enforcing to SELINUX=disabled:-
SELINUX=disabled
then reboot the server.
Access LogAnalyzer:
open your web browser point to this url:-
http://ip-address/loganalyser
You will get an Error message that says: Critical Error occurred
Click on link that says: ‘here’

In this screen click Next:-

Click Next

You have to more concentrate in this step, Make sure before entering the database name and database username with correct Lower and Upper case.

Click Next to Create Tables

Click Next

Create Admin user for login to loganalyzer web console

Select “MySQL Native” in the Source type drop down box and Enter the database name, 
database table name, database username and password. then Click Next.

we have successfully installed LogAnalyzer. Click Finish to complete installation

Login to loganalyzer console to view the collected log details:

Finally you will get the log screen like as follows

How to Configure Linux Virtual Server (LVS) in CentOS, RHEL

Linux Virtual Server Project (LVS) allows you to configure load balancing cluster server, specially for networked services like web server and mail server. This allows TCP and UDP sessions to be load balanced between multiple real servers

{NOTE:- Backend webservers are also called real servers, Actually user (or) clients they don't know about backend, frontend servers they will be connect directly to this Service IP Address (or) Service Hostname.
After that LVS server forward the packets to these backend servers.
Service IP Address of LVS :- 192.168.15.254
Internal IP Address of LVS:-  172.66.249.15
These two webservers will be connected to the LVS Server using Internal IP address of LVS }

Below I have mentioned the steps to configure lvs server

LVS server IP and Hostname:- 172.66.249.15 & 192.168.15.254 , lvsnode1.example.com

Backend First Web Server IP and Hostname:- 172.66.249.10, node1.example.com

Backend Second Web Server IP and Hostname:- 172.66.249.11, node2.example.com

First Install the ipvsadm package:-

The sysctl settings { Linux kernel parameters } are stored in /etc/sysctl.conf, and are loaded at each boot.
To enable IPv4 forwarding on your RHEL system, use the following command: vim /etc/sysctl.conf to edit the file and add the following line:

net.ipv4.ip_forward = 1 

sysctl command is used to modify kernel parameters at runtime
so to load setting Please enter command # sysctl -p 

Then after please start the ipvsadm service 

To clear the default LVS setting type ipvsadm -C {C for clear}

Finally save the newly created rules

How to Disable Root SSH Login on Linux

In this post we are going see How to disable ssh login for root user

Some hackers will try to brute force your root password, enable ssh login for root user is a very big security issue. so to avoid this situtaion, please use local user for login via ssh then simply use sudo to switch as a root user.

            step 1:- I have created the user called firtsuser 

            step 2:- assigning password for that newly created user

            step 3:- open /etc/ssh/sshd_config file find the line with "PermitRootLogin yes" in it to disable logging in through ssh as root please make like this "PermitRootLogin no".

             step 4:- check ssh port is listening

             sep 5:- Restart the sshd service

How to Configure glusterfs on centos and RHEL

GlusterFS

GlusterFS is a free software originally developed by Gluster, Inc., then after Red Hat, Inc., acquired Gluster in 2011. By using this software we can make a very large storage, that is combining multiple storage servers with the help of interconnect like 1G Ethernet or Infiniband. In simple terms we can say aggregate multiple storage servers to form a large storage that can be accessed by clients.

Advantages of GlusterFS:-

• Open Source
• Scale storage size up to several petabytes
•  High Performance & IO
• You can deploy GlusterFS with the help of commodity hardware servers

Following Types of volume can be created in your GlusterFS Environment:-

• Distributed
  
• Replicated
  
• Striped
  
• Distributed Striped
  
• Distributed Replicated
  
• Distributed Striped Replicated
  
• Striped Replicated
  

NOTE:- brick is an export directory on a server

1) Distributed 

This type of volume simply distributes the data evenly across the available bricks in a volume.most basic GlusterFS volume type is a “Distribute only” volume, if I write 100 files, on average, fifty will end up on one server, and fifty will end up on another. This is faster than a “replicated” volume. 

Now we are going to configure a distributed volume using 2 servers which can be able to use from GlusterFS Clients

OS Version:- RHEL 6.5
Server1 Hostname:- server1.example.comServer1 IP :- 172.66.249.15
Server2 Hostname:- server2.example.comServer2 IP :- 172.66.249.16
Client Machine Hostname:- client.example.comClient IP :- 172.66.249.17

Step1:- Login to Server 1 then configure as follows. 

First download the repo file:-

Then Install the necessary Components:-

 start the glusterd service

Add IP and hostname entry to /etc/hosts file this is the file used to determine the IP address that corresponds to a host name

Format and Mount the partition 

[NOTE:- Configure the same settings in server2 ]

 STEP 2:- Login to Server 2 then configure as follows

[root@server2 ~]# wget http://download.gluster.org/pub/gluster/glusterfs/LATEST/CentOS/glusterfs-epel.repo -P /etc/yum.repos.d

[root@server2 ~]# yum -y install glusterfs-server

[root@server2 ~]# /etc/init.d/glusterd start

Starting glusterd: [ OK ]

[root@server2 ~]# chkconfig glusterd on

[root@server2 ~]# vi /etc/hosts

172.66.249.15 server1.example.com server1

172.66.249.16 server2.example.com server2

172.66.249.17 client.example.com client

[root@server2 ~]# fdisk -l

Disk /dev/sda: 21.5 GB, 21474836480 bytes

64 heads, 32 sectors/track, 20480 cylinders

Units = cylinders of 2048 * 512 = 1048576 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x000c7fe4

Device Boot Start End Blocks Id System

/dev/sda1 * 2 501 512000 83 Linux

Partition 1 does not end on cylinder boundary.

/dev/sda2 502 20480 20458496 8e Linux LVM

Partition 2 does not end on cylinder boundary.

Disk /dev/mapper/vg_server1-lv_root: 18.8 GB, 18798870528 bytes

255 heads, 63 sectors/track, 2285 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

Disk /dev/mapper/vg_server1-lv_swap: 2147 MB, 2147483648 bytes

255 heads, 63 sectors/track, 261 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

Disk /dev/sdb: 26.8 GB, 26843545600 bytes

64 heads, 32 sectors/track, 25600 cylinders

Units = cylinders of 2048 * 512 = 1048576 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

# create a directory for GlusterFS volume

[root@server2 ~]# mkfs.ext4 /dev/sdb

[root@server2 ~]# mkdir /server2/disk2 -p

[root@server2 ~]# mount /dev/sdb /server2/disk2/


Then again go to the server1

Create a gluster volume by using this command

[root@server1 ~]# gluster volume create My_GFS_Volume
server1:/server1/disk1/volume1 server2:/server2/disk2/volume2

Next you should start the volume then only you can access it from client

STEP 3:- Install and Configure the Client Components

[root@client ~]# wget http://download.gluster.org/pub/gluster/glusterfs/LATEST/CentOS/glusterfs-epel.repo -P /etc/yum.repos.d

[root@client ~]# yum -y install glusterfs glusterfs-fuse

 mount the volume on /mnt

2) Replicated

This type of volume is maintain the copy of data on all the bricks, but number of replicated volumes you want to create is depends on your choice (or) need. It is mainly used for better reliability and data redundancy.
For creating replicated:-