Central Log Server with Rsyslog and Php Log Con with TLS/SSL with TCP

Rsyslog V 5 supports TLS / SSL for sending and receiving logs.

Download the source from here :http://www.rsyslog.com/rsyslog-5-8-4-v5-stable/

Steps : Do this on both client and server

  1. cd /usr/src

  2. wget http://www.rsyslog.com/rsyslog-5-8-4-v5-stable/

  3. tar -zxvf  rsyslog-5-8-4-v5-stable

  4. cd rsyslog-5-8-4

  5. yum install gnutls-devel

6: ./configure –enable-mysql –enable-gnutls –enable-mail

  1. make && make install

  2. vi /etc/init.d/rsyslog and paste the following to create the start / stop script

!/bin/bash

. /etc/init.d/functions

RETVAL=0
PIDFILE=/var/run/syslogd.pid

prog=rsyslogd
exec=/usr/local/sbin/rsyslogd
lockfile=/var/lock/subsys/$prog

start() {
[ -x $exec ] || exit 5

Source config

if [ -f /etc/sysconfig/rsyslog ] ; then
. /etc/sysconfig/rsyslog
fi
umask 077

echo -n $”Starting system logger: ”
daemon –pidfile=”${PIDFILE}” $exec $SYSLOGD_OPTIONS
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch $lockfile
return $RETVAL
}
stop() {
echo -n $”Shutting down system logger: ”
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $lockfile
return $RETVAL
}
reload()  {
RETVAL=1
syslog=$(cat “${PIDFILE}” 2>/dev/null)
echo -n “Reloading system logger…”
if [ -n “${syslog}” ] && [ -e /proc/”${syslog}” ]; then
kill -HUP “$syslog”;
RETVAL=$?
fi
if [ $RETVAL -ne 0 ]; then
failure
else
success
fi
echo
return $RETVAL
}
rhstatus() {
status -p “${PIDFILE}” $prog
}
restart() {
stop
start
}

case “$1″ in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
reload|force-reload)
reload
;;
status)
rhstatus
;;
condrestart|try-restart)
rhstatus >/dev/null 2>&1 || exit 0
restart
;;
*)
echo $”Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}”
exit 2
esac

exit $?

Now Configure the Server To listen for TLS / TCP

  1. vi /etc/sysconfig/rsyslog   and set the following value.

SYSLOGD_OPTIONS=”-m 0″

  1. vi /etc/rsyslog.conf and paste the following :

$EscapeControlCharactersOnReceive off
$ModLoad ommysql.so
$modload imtcp
$ModLoad imuxsock
$ModLoad imklog
$modload imudp

.    :ommysql:localhost,DBNAME,DBUSER,DBPASS

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /usr/src/rsyslog-5.8.4/contrib/gnutls/ca.pem
$DefaultNetstreamDriverCertFile /usr/src/rsyslog-5.8.4/contrib/gnutls/cert.pem
$DefaultNetstreamDriverKeyFile /usr/src/rsyslog-5.8.4/contrib/gnutls/key.pem

$InputTCPServerStreamDriverMode 1
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerRun 10514
$AllowedSender TCP, 127.0.0.1,
$CreateDirs on
$DirCreateMode 0755

(Below this you can set the normal syslog to itself, in case the rsyslog goes down )

Client Setup :

  1. vi /etc/sysconfig/rsyslog  and set the following value :

SYSLOGD_OPTIONS=”-r -m 0″

  1. vi /etc/rsyslog.conf and paste the following :

$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imtcp

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$DefaultNetstreamDriverCAFile /usr/src/rsyslog-5.8.4/contrib/gnutls/ca.pem
$DefaultNetstreamDriver gtls
$ActionSendstreamDriverMode 1
$ActionSendStreamDriverAuthMode anon

$CreateDirs on
$DirCreateMode 0755
. @@

Note : The @@ above is not a typo, that is required to send using tcp .

Now you can restart rsyslog on both the machines using

service rsyslog restart

To verify you can use ngrep and see if the transmission is encrypted. In both the machines issue :

ngrep -l -q -d eth0 port 10514

**Enhancements : You can Install Php log con to install php web based log viewer.
**

You can also setup logs to be sent by emails or you can also setup failover logging into the system, in case the log server is not available.. Leaving the default syslog settings below the settings for remote loggin will also enable local logging.

In order to send email you have to load mail module :

$ModLoad ommail

discard some messages

:msg, regex, “.*Failure Audit.*Account Logon.*Logon attempt by: MICROSOFT_AUTHEN
TICATION_PACKAGE_V1.*eporeplro” ~

email sending

$ModLoad ommail
$ActionMailSMTPServer mailrelay.domain.com
$ActionMailFrom rsyslog@domain.com
$ActionMailTo jephe.wu@domain.com
$template mailSubject,”Rsyslog Alert for %hostname%”
$template mailBody,”%msg%”
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 60
:msg, regex, “.*Audit.Account Management.”    :ommail:;mailBody

$ActionMailSMTPServer mailrelay.domain.com
$ActionMailFrom rsyslog@domain.com
$ActionMailTo jephe.wu@domain.com
$template mailSubject,”Rsyslog Alert for %hostname%”
$template mailBody,”%msg%”
$ActionMailSubject mailSubject
$ActionExecOnlyOnceEveryInterval 60
:msg, regex, “.*Failure Audit.*Account Logon.Logon attempt by: MICROSOFT_AUTHEN
TICATION_PACKAGE_V1.
”  :ommail:;mailBody

templates

$template DailyPerHostLogs,”/var/log/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%.log”
. -?DailyPerHostLogs

Other usages examples

$template 1,”/var/log/rsyslog/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-maillog.log”

if $source == ‘app2’ and $syslogfacility-text == ‘mail’ then -?1

On The clients ;

$WorkDirectory /var/log/rsyslog # default location for work (spool) files (create this folder first)
$ActionQueueType LinkedList   # run asynchronously
$ActionQueueFileName rsyslog  # set file name, also enables disk mode
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionResumeRetryCount -1    # infinite retries if host is down
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
.              @@log1.jephe.com:10514 # send (all) messages

$template tplSiteID,”<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%,siteID,%msg%”
. @@centralsrv.example.net;tplSiteID

$template 1,”/var/log/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%-maillog.log”
if $source == ‘hpay1’ and $syslogfacility-text == ‘mail’ then -?1
:msg, regex, “.*Failure Audit.*Account Logon.Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1.”  -?1

Troubleshooting : rsyslog –  rsyslogd -c4 -dn ( To Run in Interactive Mode )