Centralized log server using rsyslog and loganalyzer
Rsyslog server details:-
Operating system: RHEL 6.7IP Address: 172.66.249.4
Hostname:- logserver.example.com
Rsyslog Client details:-
Operating system: RHEL 6.7IP Address: 172.66.249.5
Hostname: client.example.com
Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using TCP for transport.
It will be very helpful for Linux administrators to view and troubleshoot errors if something went wrong. In this tutorial let us see how to install and configure Rsyslog and graphical front-end for rsyslog called LogAnalyser and also how to forward logs from the client systems to the Rsyslog server.
Prerequisites:
1) You have to install LAMP [Linux, Apache, Mysql, Php][root@logserver ~]# yum install httpd mysql* php* -y
[root@logserver ~]# /etc/init.d/mysqld start
Initializing MySQL database: Installing MySQL system tables...
OK
Filling help tables...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MySQL root USER !
To do so, start the server, then issue the following commands:
/usr/bin/mysqladmin -u root password 'new-password'
/usr/bin/mysqladmin -u root -h logserver.example.com password 'new-password'
Alternatively you can run:
/usr/bin/mysql_secure_installation
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the manual for more instructions.
You can start the MySQL daemon with:
cd /usr ; /usr/bin/mysqld_safe &
You can test the MySQL daemon with mysql-test-run.pl
cd /usr/mysql-test ; perl mysql-test-run.pl
Please report any problems with the /usr/bin/mysqlbug script!
[ OK ]
Starting mysqld: [ OK ]
[root@logserver ~]# /etc/init.d/mysqld status
mysqld (pid 2869) is running...
[root@logserver ~]# chkconfig mysqld --list
mysqld 0:off 1:off 2:off 3:off 4:off 5:off 6:off
[root@logserver ~]# chkconfig mysqld on
[root@logserver ~]# /usr/bin/mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MySQL to secure it, we'll need the current
password for the root user. If you've just installed MySQL, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.
Set root password? [Y/n] Y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] Y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] Y
... Success!
By default, MySQL comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] Y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] Y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MySQL
installation should now be secure.
Thanks for using MySQL!
[root@logserver ~]# /etc/init.d/httpd start
Starting httpd: [ OK ]
[root@logserver ~]# chkconfig httpd on
Start Rsyslog Installation in logserver:
[root@logserver ~]# yum install rsyslog-* -y
[root@logserver ~]# service rsyslog start
[root@logserver ~]# chkconfig rsyslog on
Import rsyslog database and tables to mysql db, so Edit file ‘/usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql’ file,
# vim /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
Set the database name as shown below. Here i am using ‘logserverdb’ as my database name.
CREATE DATABASE logserverdb;
USE logserverdb;
CREATE TABLE SystemEvents
(
[...]
Now import the database tables into MySQL using command:-
# mysql -u root -p < /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql
Now let us check the ‘rsyslogdb’ database is properly imported into mysql and Set ‘rsysloguser’ user privileges over database:
[root@logserver ~]# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.1.73 Source distribution
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| logserverdb |
| mysql |
+--------------------+
3 rows in set (0.00 sec)
mysql> GRANT ALL ON logserverdb.* TO loguser@localhost IDENTIFIED BY 'loguser123';
Query OK, 0 rows affected (0.00 sec)
mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)
mysql> exit
Bye
edit the rsyslog config file,
[root@logserver ~]# vim /etc/rsyslog.conf
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
## uncomment ##
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
## Uncomment ##
$ModLoad imtcp
$InputTCPServerRun 514
## Add the following lines ##
$ModLoad ommysql
$ModLoad ommysql
*.* :ommysql:127.0.0.1,logserverdb,loguser,loguser123
$AllowedSender UDP, 127.0.0.1, 172.66.0.0/16
$AllowedSender TCP, 127.0.0.1, 172.66.0.0/16
Database name:- logserverdb
Database user:- loguser
rsyslog user password- loguser123
rsyslog accepts logs from clients on both UDP and TCP ports-$AllowedSender
Disable all existing syslog services if any.
[root@logserver ~]# service syslog stop
[root@logserver ~]# chkconfig syslog off
Install LogAnalyzer:
[root@logserver ~]# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.6.tar.g[root@logserver ~]# tar zxvf loganalyzer-3.6.6.tar.gz
[root@logserver ~]# mv loganalyzer-3.6.6/src/ /var/www/html/loganalyzer
[root@logserver ~]# mv loganalyzer-3.6.6/contrib/* /var/www/html/loganalyzer/
[root@logserver ~]# cd /var/www/html/loganalyzer/
[root@logserver ~]# chmod +x configure.sh secure.sh
[root@logserver ~]# ./configure.sh
ADJUST IPTABLES:
[root@logserver ~]# iptables -A INPUT -p udp --dport 514 -j ACCEPT
[root@logserver ~]# service iptables save
[root@logserver ~]# service iptables restart
[root@logserver ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Aug 25 08:54:57 2015
*filter
:INPUT ACCEPT [46:3684]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [24:2576]
-A INPUT -p tcp -m tcp --dport 514 -j ACCEPT
COMMIT
Disable SELINUX:
Edit file /etc/sysconfig/selinux file# vim /etc/sysconfig/selinux
Change SELINUX=enforcing to SELINUX=disabled:-
SELINUX=disabled
then reboot the server.
Access LogAnalyzer:
open your web browser point to this url:-
http://ip-address/loganalyser
You will get an Error message that says: Critical Error occurred
Click on link that says: ‘here’
In this screen click Next:-
Click Next
You have to more concentrate in this step, Make sure before entering the database name and database username with correct Lower and Upper case.
Click Next to Create Tables
Click Next
Create Admin user for login to loganalyzer web console
Select “MySQL Native” in the Source type drop down box and Enter the database name,
database table name, database username and password. then Click Next.
we have successfully installed LogAnalyzer. Click Finish to complete installation
Login to loganalyzer console to view the collected log details:
Finally you will get the log screen like as follows
No comments:
Post a Comment