banner



How To Install And Configure Syslog Server In Centos 7

On this folio

  1. Installing Total-Featured Rsyslog five.7.x On CentOS 5.ten
    1. Goals
    2. Pre-Installation
    3. Download boosted package:
    4. Download Rsyslog package:
    5. Compile & Install Rsyslog :
    6. Ready MySQL database:
    7. Configure init script
    8. Configure Syslog and Rsyslog:
    9. Rsyslog configuration
    10. Start Rsyslog
    11. Test Rsyslog
    12. Links

Installing Full-Featured Rsyslog 5.7.x On CentOS v.x

This tutorial shows how you tin can install new generation of syslog servers by using Rsyslog. Co-ordinate to Rsyslog spider web site (world wide web.rsyslog.com), Rsyslog is an enhanced syslogd supporting, among others, MySQL, PostgreSQL, failover log destinations, syslog/tcp, fine grain output format control, high precision timestamps, queued operations and the power to filter on any bulletin function. It is quite uniform to stock sysklogd and can be used as a drop-in replacement. Its avant-garde features make information technology suitable for enterprise-class, encryption protected syslog relay chains while at the same time existence very like shooting fish in a barrel to setup for the novice user.

Goals

This tutorial shows how y'all tin can compile and install full-featured Rsyslog 5.7.9 on CentOS 5.v server. I practise not issue whatever guarantee that this will work for you!

Pre-Installation

Kickoff we need to install the following packages:

yum install -y pcre pcre-devel mysql-server mysql-devel gnutls gnutls-devel gnutls-utils net-snmp cyberspace-snmp-devel net-snmp-libs net-snmp-perl net-snmp-utils libnet libnet-devel

Download additional parcel:

librelp (Reliable Event Logging Protocol Library) is an easy to employ library for the RELP protocol. RELP in turn provides reliable outcome logging over the network. RELP (and hence) librelp assures that no message is lost, not even when connections suspension and a peer becomes unavailable. Delight note that RELP is a general-purpose, extensible logging protocol. Even though information technology was designed to solve the urgent demand of rsyslog-to-rsyslog communication, RELP supports many more applications.

cd /tmp
wget http://sourceforge.internet/projects/libestr/files/libestr-0.1.0.tar.gz/download
tar -xvf libestr-0.ane.0.tar.gz
cd libestr-0.1.0
./configure --prefix=/usr
make
make install

cd /tmp
wget http://www.libee.org/files/download/libee-0.1.0.tar.gz
tar -xvf libee-0.one.0.tar.gz
cd libee-0.i.0
./configure --prefix=/usr
make
make install

cd /tmp
wget http://honeynet.ir/software/rsyslog/librelp-i.0.0.tar.gz
tar -xvf librelp-1.0.0.tar.gz
cd librelp-1.0.0
./configure --prefix=/usr
brand
make install

Download Rsyslog parcel:

At the time of writing this tutorial, I notice rsyslog 5.7.9 is the best version of Rsyslog which support most of the skilful features yous might need.

cd /tmp
wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.7.9.tar.gz
tar -xvf rsyslog-5.7.9.tar.gz
cd rsyslog-v.7.nine

Compile & Install Rsyslog :

For more data about options which are bachelor in Rsyslog , you can run ./configure --assistance

The post-obit control enable most of the rsyslog feature such equally Compression, Multithreading, MySql ,SNMP ,Mail ,RELP back up and etc.

./configure --enable-regexp --enable-zlib --enable-pthreads --enable-klog --enable-inet --enable-unlimited-select --enable-debug --enable-rtinst --enable-memcheck --enable-diagtools --enable-mysql --enable-snmp --enable-gnutls --enable-rsyslogrt --enable-rsyslogd --enable-extended-tests --enable-mail --enable-imptcp --enable-omruleset --enable-valgrind --enable-imdiag --enable-relp --enable-testbench --enable-imfile --enable-omstdout --enable-omdbalerting --enable-omuxsock --enable-imtemplate --enable-omtemplate --enable-pmlastmsg --enable-omudpspoof --enable-omprog --enable-impstats
make
make install

Gear up MySQL database:

Installing mySQL is Mandatory if you lot want to save syslog records to db otherwise skip this part

mysql -u root -p < plugins/ommysql/createDB.sql
mysql -u root -p mysql
GRANT ALL ON Syslog.* TO [email protected] IDENTIFIED By 'your-mysql-countersign';
affluent privileges;

Configure init script

vi /etc/init.d/rsyslog

#!/bin/bash # # rsyslog        Starts rsyslogd/rklogd. # # # chkconfig: - 12 88 # clarification: Syslog is the facility past which many daemons use to log \ # messages to diverse system log files.  It is a adept idea to always \ # run rsyslog. ### BEGIN INIT INFO # Provides: $syslog # Required-Starting time: $local_fs $network $remote_fs # Required-Stop: $local_fs $network $remote_fs # Default-End: 0 i 2 iii 4 v 6 # Short-Description: Enhanced arrangement logging and kernel message trapping daemons # Description: Rsyslog is an enhanced multi-threaded syslogd supporting,  #              among others, MySQL, syslog/tcp, RFC 3195, permitted  #              sender lists, filtering on any message office, and fine  #              grain output format control. ### Stop INIT INFO  # Source function library. . /etc/init.d/functions  RETVAL=0  start() {         [ -10 /usr/local/sbin/rsyslogd ] || get out 5         #[ -x /usr/local/sbin/rklogd ] || leave 5          # Do not kickoff rsyslog when sysklogd is running         if [ -e /var/run/syslogd.pid ] ; then                 repeat $"Shut down sysklogd before you run rsyslog";                 exit i;         fi          # Source config         if [ -f /etc/sysconfig/rsyslog ] ; and so                 . /etc/sysconfig/rsyslog         else                 #SYSLOGD_OPTIONS="-c3"                 SYSLOGD_OPTIONS="-c5"                 #KLOGD_OPTIONS="-2"         fi          if [ -z "$SYSLOG_UMASK" ] ; then               SYSLOG_UMASK=077;         fi         umask $SYSLOG_UMASK          echo -n $"Starting system logger: "         daemon /usr/local/sbin/rsyslogd $SYSLOGD_OPTIONS         RETVAL=$?         repeat         #echo -n $"Starting kernel logger: "         #daemon rklogd $KLOGD_OPTIONS         #echo         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/rsyslog         return $RETVAL } finish() {         #echo -n $"Shutting down kernel logger: "         #killproc rklogd         #repeat         repeat -n $"Shutting down arrangement logger: "         killproc rsyslogd         RETVAL=$?         echo         [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/rsyslog         render $RETVAL } reload()  {     RETVAL=1     syslog=`cat /var/run/rsyslogd.pid 2>/dev/null`     echo -n "Reloading organization logger..."     if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then         impale -HUP "$syslog";         RETVAL=$?     fi     if [ $RETVAL -ne 0 ]; then         failure     else         success     fi     echo     RETVAL=i     #repeat -north "Reloading kernel logger..."     #klog=`true cat /var/run/rklogd.pid 2>/dev/nix`     #if [ -northward "${klog}" ] && [ -east /proc/"${klog}" ]; then         #kill -USR2 "$klog";     #    RETVAL=$?     #fi     #if [ $RETVAL -ne 0 ]; then         #failure     #else         #success     #fi     #repeat         return $RETVAL } rhstatus() {         status rsyslogd         #status rklogd } restart() {         stop         start }  instance "$1" in   get-go)         start         ;;   stop)         cease         ;;   restart)         restart         ;;   reload|force-reload)         reload         ;;   status)         rhstatus         ;;   condrestart)         [ -f /var/lock/subsys/rsyslog ] && restart || :         ;;   *)         repeat $"Usage: $0 {commencement|stop|restart|reload|forcefulness-reload|condrestart}"         exit 2 esac  get out $?              

Note: make sure SYSLOGD_OPTIONS="-c5" is set up!

Configure Syslog and Rsyslog:

service syslog finish
chkconfig syslog off
chmod 755 /etc/init.d/rsyslog
chkconfig --add rsyslog
chkconfig rsyslog on

Init script is available for download on Iran Honeynet Project - Rsyslog

Rsyslog configuration

Some configurations that outline features are available in Rsyslog.com Spider web Site.

vi /etc/rsyslog.conf

# Input Modules -----------------------------------This line is comment #--------------------------------------------------This line is annotate $ModLoad impstats.and so $PStatsInterval 300 syslog.info  /var/log/rsyslog-stats #--------------------------------------------------This line is comment $ModLoad immark.so      # provides --MARK-- bulletin capability $ModLoad imuxsock.so    # provides support for local system logging (via logger command) $ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)  #--------------------------------------------------This line is comment $ModLoad imudp.and so       # provides UDP syslog reception $UDPServerAddress *     # all local interfaces $UDPServerRun 514       # start UDP server (log server receiver) #--------------------------------------------------This line is annotate $ModLoad imtcp.so       # provides TCP syslog reception and GSS-API (if compiled) $InputTCPServerRun 514  # kickoff TCP server (log server receiver) #--------------------------------------------------This line is comment $ModLoad imrelp.and then      # RELP input $InputRELPServerRun 20514 # get-go RELP Protocol #--------------------------------------------------This line is comment $ModLoad imfile.so      # Text file input $InputFileName /var/log/i-am-a-text-file.log $InputFileTag my-text-file: $InputFileStateFile stat-file1 $InputFileSeverity fault $InputFileFacility local7 $InputFilePollInterval 10 # check for new lines every ten seconds $InputRunFileMonitor #--------------------------------------------------This line is comment #$ModLoad imgssapi.so   # Manifestly TCP and GSSAPI #$ModLoad im1395.so     # Messages via RFC1395  # Output Modules ----------------------------------This line is comment #--------------------------------------------------This line is comment $ModLoad omsnmp.and then      # Send SNMP traps #$actionsnmptransport udp #$actionsnmptarget 192.168.x.x #$actionsnmptargetport 162 #$actionsnmpversion i #$actionsnmpcommunity public #*.* :omsnmp: #--------------------------------------------------This line is annotate $ModLoad ommysql.and so     # Log to MySQL #$ModLoad ompgsql.so    # Log to PostgreSQL #--------------------------------------------------This line is comment $ModLoad ommail.so      # Send mail #$ActionMailSMTPServer mail.example.net #$ActionMailFrom [email protected] #$ActionMailTo [email protected] #$ActionMailTo [e-mail protected] #$template mailSubject,"disk problem on %hostname%" #$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" #$ActionMailSubject mailSubject #$ActionExecOnlyOnceEveryInterval 21600 #if $msg contains 'hard disk fatal failure' then :ommail:;mailBody #--------------------------------------------------This line is annotate $ModLoad omrelp.so      # Send to another host via RELP #$ModLoad omlibdbi.so   # Log via generic DB output #$ModLoad omgss.so      # GSS enabled output  # Globals -----------------------------------------This line is comment $umask 0000 $DirCreateMode 0640 $FileCreateMode 0640 $RepeatedMsgReduction on  $WorkDirectory /var/log/rsyslog  # default location for piece of work (spool) files $ActionQueueType LinkedList      # apply asynchronous processing $ActionQueueFileName queue       # fix file name, as well enables deejay manner $ActionResumeRetryCount -1       # infinite retries on insert failure $ActionQueueSaveOnShutdown on    # save in-retentiveness data if rsyslog shuts down $MainMsgQueueMaxFileSize 100M   $ActionQueueMaxFileSize 5M       #--------------------------------------------------This line is comment # Below find some samples of what a template can do. Accept a expert # fourth dimension finding out what they do [or just tun them] ;)  # A template that resambles traditional syslogd file output: $template TraditionalFormat,"%timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"  # a template useful for debugging format issues $template DEBUG,"Debug line with all properties:\nFROMHOST: '%FROMHOST%', HOSTNAME: '%HOSTNAME%', PRI: %PRI%,\nsyslogtag '%syslogtag%', programname: '%programname%', APP-Name: '%APP-NAME%', PROCID: '%PROCID%', MSGID: '%MSGID%',\nTIMESTAMP: '%TIMESTAMP%', STRUCTURED-DATA: '%STRUCTURED-Data%',\nmsg: '%msg%'\nescaped msg: '%msg:::drop-cc%'\nrawmsg: '%rawmsg%'\due north\north"  # A template that resembles RFC 3164 on-the-wire format: # (yes, at that place is NO infinite betwen syslogtag and msg! that'due south of import!) $template RFC3164fmt,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag%%msg%"  # a template resembling traditional wallmessage format: $template wallmsg,"\r\north\7Message from [e-mail protected]%HOSTNAME% at %timegenerated% ...\r\due north %syslogtag%%msg%\n\r"  # The template below emulates winsyslog format, but we demand to check the time # stamps used. for now, it is good enough ;) This format works best with # other members of the MonitorWare product family. It is besides a good sample # where yous can come across the property replacer in action. $template WinSyslogFmt,"%HOSTNAME%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:appointment-rfc3339%,%timegenerated:1:10:date-rfc3339%,%timegenerated:12:19:date-rfc3339%,%syslogfacility%,%syslogpriority%,%syslogtag%%msg%\n"  # A template used for database writing (notice it *is* an actual # sql-statement): $template dbFormat,"insert into SystemEvents (Message, Facility,FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%',%syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",sql  $template FileFormat,"%TIMESTAMP:::appointment-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::driblet-last-lf%\n"  $template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%"  # Selector lines are somewhat unlike from stock syslogd. With # rsyslog, y'all tin add a semicolon ";" later the target and and so # the template proper noun. That will assign this template to the respective # activeness. If no template proper noun is given, a hardcoded template is used. # If a template name is given, simply the template was not defined, the # selector line is DEACTIVATED. #--------------------------------------------------------------------  #--------------------------------------------------This line is comment # Forrad via TCP with maximum compression: #$AllowedSender TCP, 127.0.0.i, 192.0.2.0/24, [::i]/128, *.example.net, somehost.instance.com #*.*       @@(z9)192.168.x.x:514 # Forward via UDP with maximum compression: #$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com #*.*       @(z9)192.168.x.x:514 # Frontward via RELP Protocol : #*.*      :omrelp:192.168.2.iv:20514;TraditionalFormat       # Shop all log files in MySQL DB  : #*.*       :ommysql:127.0.0.1,Syslog,rsyslog,your-mysql-password #--------------------------------------------------This line is comment   #--------------------------------------------------This line is comment # Log all kernel letters to the console. # Logging much else clutters upwardly the screen. #kern.*                                                 /dev/console;TraditionalFileFormat  # Log anything (except post) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none                /var/log/letters  # The authpriv file has restricted access. authpriv.*                                              /var/log/secure  # Log all the mail messages in one identify. mail.*                                                  -/var/log/maillog  # Log cron stuff cron.*                                                  /var/log/cron  # Everybody gets emergency messages *.emerg                                                 *  # Save news errors of level crit and higher in a special file. uucp,news.crit                                          /var/log/spooler  # Salvage boot messages likewise to kick.log local7.*                                                /var/log/boot.log  #--------------------------------------------------This line is comment $IncludeConfig /etc/rsyslog.d/*.conf  #--------------------------------------------------This line is comment #if bulletin contains 'network error' then run the restart-network.sh shell script!!! #:msg, contains, "network error" ^/root/restart-network.sh              

Of import Annotation: For more information please bank check Rsyslog.com

Rsyslog config file is available for download on Islamic republic of iran Honeynet Project - Rsyslog

First Rsyslog

chmod 640 /etc/rsyslog.conf
service rsyslog start
tail -f /var/log/messages

Test Rsyslog

logger "this is a test bulletin"
logger -p local0.info -t testtag "this is a test message"

Iran Honeynet Project: http://www.honeynet.ir/
Rsyslog Project:http://www.rsyslog.com/
CentOS: http://www.centos.org/

Suggested manufactures

Source: https://www.howtoforge.com/installing-full-featured-rsyslog-5.7.x-on-centos-5.x

Posted by: hawkinscausbableche.blogspot.com

0 Response to "How To Install And Configure Syslog Server In Centos 7"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel