Wednesday, January 25, 2012

Set Up Rsyslog and LogAnalyzer on CentOS Linux 5.5 for Centralized Logging

SkyHi @ Wednesday, January 25, 2012
LogAnalyzer is a web based program that allows you to view event messages from a syslog source within your web browser.  Rsyslog is a drop in replacement for the syslog daemon that among other things allows syslog messages to be saved in a MySQL database.  Combining these two great programs and directing other network devices to forward syslog messages to a central server allows for a very powerful solution for searching and archiving event messages that occur throughout your network environment.  In this example I will install rsyslog on a CentOS Linux 5.5 server to aggregate and collect syslog messages and configure LogAnalyzer on the same server to allow for a user friendly interface for viewing and searching through these messages.
First we need to install some required RPM’s.  Since I am running LogAnalyzer, Rsyslog, and MySQL all on the same server I will install these required packages:

# yum install httpd php mysql php-mysql mysql-server wget rsyslog rsyslog-mysql

Now we’ll make sure MySQL and Apache are configured to start automatically and start them up:

# chkconfig mysqld on
# chkconfig httpd on
# service mysqld start
# service httpd start

By default the MySQL root database user is blank so for security we should set it now:

# mysqladmin -u root password NewPassword

Now let’s import the database schema for the rsyslog database into MySQL.  You may need to adjust the path to your “createDB.sql” file below if the rsyslog version has been updated.

# mysql -u root -p < /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

It is best practice to limit database access for applications, so now we’ll set up a user specifically for LogAnalyzer and rsyslog that we’ll use to access the newly created rsyslog database.  For even greater security you may want to set up separate accounts for both rsyslog and LogAnalyzer, since LogAnalyzer is only viewing the rsyslog database fewer privileges like select should be needed.  For my environment using the same user is adequate.  Notice with MySQL you can make access very granular and specify to only allow the rsyslog user database access from the localhost.  Also we’ll execute the “flush privileges” MySQL command to activate our permissions changes immediately.

# mysql -u root -p mysql
mysql> GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'Password';
mysql> flush privileges;
mysql> exit

Now it is time to edit the”/etc/rsyslog.conf” file.  We’ll include information that will allow us to log syslog messages from rsyslog into the MySQL database.  The first line loads the MySQL driver.  The second line allows us to specify to log messages from the “authpriv” facility with all severities, which includes most log in/out messages and switch user events.  If I wanted to log all messages to MySQL I would specify *.*.  I have identified the MySQL database server to log to as 127.0.0.1, Syslog is the name of the MySQL database, and finally I have specified my MySQL rsyslog username and password.  To specify additional syslog facility/severity combinations add them to the front of the second line and separate each combination with a semicolon (mail.*;authpriv.* :ommysql…).  Remember that when you specify a severity that is the minimum level which will be logged, anything with a higher severity will also be logged.  Add the code to the top of the file:

$ModLoad ommysql
authpriv.* :ommysql:127.0.0.1,Syslog,rsyslog,Password

Now it’s time to shut down and disable the existing syslog daemon and enable and start up rsyslog:

# chkconfig syslog off
# service syslog stop
# chkconfig rsyslog on
# service rsyslog start

It is now time to go out to the web and download LogAnalyzer.  To find information on the latest release go to http://loganalyzer.adiscon.com/downloads.
Or to download directly to your Linux server the version I am using enter this (wget is required):

# cd ~
# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.0.0.tar.gz

Unzip and untar the LogAnalyzer files:

# tar zxvf loganalyzer-3.0.0.tar.gz

Now it is time to move various files and subdirectories to your Apache web document root.  In this example I am assuming that this is still the Apache default of “/var/www/html”.

# mv loganalyzer-3.0.0/src /var/www/html/loganalyzer
# mv loganalyzer-3.0.0/contrib/* /var/www/html/loganalyzer/

Change to new LogAnalyzer web subdirectory, modify the file permissions on two scripts, and run the configure.sh script.  This will create a blank config.php file which will be have information added during the web portion of the configuration.

# cd /var/www/html/loganalyzer
# chmod u+x configure.sh secure.sh
# ./configure.sh


(Page 2)
Now some additional configuration of LogAnalyzer is required in the web browser.  Point your browser out to your server and the LogAnalyzer subdirectory, in my case it ishttp://web1/loganalyzer.
In the middle under Critical Error click “here” in the “Click here to Install” line.
Click Next.
Click Next.
Click Next unless you want to set different display options.
Now you’ll need to specify the Database Host, Name, Tablename, User and Password to give LogAnalyzer access to the rsyslog table created in MySQL.  Click Next when you’ve specified the correct information.
Finally click Finish.
If you have specified everything correctly you will now be presented with the main LogAnalyzer page that will list the syslog messages as they are received.  You may need to generate some messages for something to be displayed.  In my case since I am logging everything from the “authpriv” facility, simply logging in/out of the Linux console or run switch user (su) on this server and some new messages should appear on the screen (you may need to refresh the page).



(Page 3)
Configuring Rsyslog for Remote Logging
Now we’ll configure our rsyslog server to allow acceptance of syslog messages from other network devices.  First we need to configure the firewall to allow inbound traffic on port 514.  In this example I will add two rules to allow traffic via TCP and UDP.  Syslog by default only allows for message transmission through UDP but rsyslog adds TCP for more reliable message transmission.  Add these rules to “/etc/sysconfig/iptables”:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 514 -j ACCEPT

Now restart the iptables firewall:

# service iptables restart

We need to add code to allow rsyslog to accept messages from remote syslog hosts.  Basically we’ll specify to accept messages via TCP and UDP from the localhost and hosts on the 192.168.1.0 subnet.  Add these lines near the top of the “/etc/rsyslog.conf” file above the code that we added previously related to MySQL.

$AllowedSender UDP, 127.0.0.1, 192.168.1.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.1.0/24

At one point there was a bug in rsyslog which prevented the above lines from working and syslog messages were accepted from all senders.  This appears to be corrected now.  Another possibility to limit accepted senders is to place limits through the port 514 rule sets that we defined earlier in the iptables firewall configuration file.
Don’t forget to restart rsyslog on the central server:

# service rsyslog restart

Now we need to configure a remote client to send messages to our new centralized rsyslog server.  If the client is also running rsyslog, add an entry like this to it’s “/etc/rsyslog.conf” file.  In this case I will specify again to send all messages from the “authpriv” facility to my rsyslog server, who’s IP address I have also entered.

authpriv.*                                              @192.168.10.100

Restart rsyslog on the client and log in/out or switch user in the console of the Linux client machine.  With luck the syslog messages from the client will appear on the LogAnalyzer web page!


REFERENCES
http://aaronwalrath.wordpress.com/2010/09/02/set-up-rsyslog-and-loganalyzer-on-centos-linux-5-5-for-centralized-logging/
http://serverfault.com/questions/234025/recommended-software-for-a-centralized-logging-server