Hero Image

Rsyslogd on centos 7 as remote syslog server with mysql and loganalyzer

Setup rsyslogd

yum -y install rsyslog-gnutls rsyslog-mysql rsyslog-crypto
echo "\$ModLoad imudp" > /etc/rsyslog.d/server.conf
echo "\$UDPServerRun 514" >> /etc/rsyslog.d/server.conf
echo "\$ModLoad imtcp" >> /etc/rsyslog.d/server.conf
echo "\$InputTCPServerRun 514" >> /etc/rsyslog.d/server.conf
echo "\$PreserveFQDN on" >> /etc/rsyslog.d/server.conf

MySQL/MariaDB database configuration

Assuming MariaDB is already installed and running. Hint: Make sure innodb_file_per_table = 1 is set in the MariaDB server configuration!

Database setup

Syslog Default Format

mysql < /usr/share/doc/rsyslog-*/mysql-createDB.sql
mysql -Be "ALTER TABLE Syslog.SystemEvents ENGINE=innodb DEFAULT CHARSET=UTF8 row_format=COMPRESSED KEY_BLOCK_SIZE=4"
mysql -Be "ALTER TABLE Syslog.SystemEvents ADD INDEX SyslogTag(SyslogTag);"
mysql -Be "ALTER TABLE Syslog.SystemEvents ADD INDEX FromHost(FromHost);"

Loganalyzer db setup

mysql -Be "use Syslog; DROP TABLE IF EXISTS php_log; CREATE TABLE \`php_log\` (\
      \`ID\` INT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,\
      \`FromHost\` varchar(100) NOT NULL,\
      \`Priority\` int(2) NOT NULL,\
      \`Message\` text NOT NULL,\
      \`DeviceReportedTime\` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,\
      \`ReceivedAt\` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',\
      \`SyslogTag\` varchar(60) NOT NULL,\
      KEY \`FromHost\` (\`FromHost\`),\
      KEY \`SyslogTag\` (\`SyslogTag\`)\
    ) ENGINE=InnoDB DEFAULT CHARSET=UTF8 row_format=COMPRESSED KEY_BLOCK_SIZE=4;"

Database Users

mysql -Be "DROP USER 'syslogwriter'@'localhost'; CREATE USER 'syslogwriter'@'localhost' IDENTIFIED BY 'secretpassword1';"
mysql -Be "GRANT INSERT ON Syslog.* To 'syslogwriter'@'localhost';"

mysql -Be "DROP USER 'syslogreader'@'localhost'; CREATE USER 'syslogreader'@'localhost' IDENTIFIED BY 'secretpassword2';"
mysql -Be "GRANT SELECT ON Syslog.* To 'syslogreader'@'localhost';"

mysql -Be "DROP USER 'syslogmaster'@'localhost'; CREATE USER 'syslogmaster'@'localhost' IDENTIFIED BY 'secretpassword3';"
mysql -Be "GRANT ALL ON Syslog.* To 'syslogmaster'@'localhost';"

mysql -Be "DROP DATABASE IF EXISTS loganalyzer; CREATE DATABASE loganalyzer;"
mysql -Be "DROP USER 'loganalyzer'@'localhost'; CREATE USER 'loganalyzer'@'localhost' IDENTIFIED BY 'secretpassword4';"
mysql -Be "GRANT ALL ON loganalyzer.* To 'loganalyzer'@'localhost';"
mysql -Be "FLUSH PRIVILEGES;"

Extend rsyslogd configuration for MySQL settings

echo "\$ModLoad ommysql" >> /etc/rsyslog.d/server.conf

Loganalyzer rsyslogd setup

echo "\$template php_log,\"insert into php_log (FromHost, Priority, Message, DeviceReportedTime, ReceivedAt, SyslogTag ) values ('%HOSTNAME%', \\" >> /etc/rsyslog.d/server.conf
echo "'%syslogpriority%', \\" >> /etc/rsyslog.d/server.conf
echo "'%msg%', \\" >> /etc/rsyslog.d/server.conf
echo "'%timereported:::date-mysql%', \\" >> /etc/rsyslog.d/server.conf
echo "'%timegenerated:::date-mysql%', \\" >> /etc/rsyslog.d/server.conf
echo "'%syslogtag%')\",SQL" >> /etc/rsyslog.d/server.conf
echo ":syslogtag, :omusrmsg:startswith, :omusrmsg:php :ommysql:localhost,Syslog,syslogwriter,secretpassword1;php_log stop" >> /etc/rsyslog.d/server.conf

Syslog filters

FQDN=`hostname -f`
echo "auth.*,kern.*,*.emerg,*.alert,*.crit,*.err,*.warning :ommysql:localhost,Syslog,syslogwriter,secretpassword1" >> /etc/rsyslog.d/server.conf
echo "if \$hostname != '$FQDN' then stop"  >> /etc/rsyslog.d/server.conf
chmod 640 /etc/rsyslog.d/server.conf

Restart rsyslogd

systemctl restart rsyslog

Install LogAnalyzer

Assuming Apache and PHP was already installed.

wget -P /usr/local/src/ http://download.adiscon.com/loganalyzer/loganalyzer-4.1.3.tar.gz
tar vxfz loganalyzer-*.tar.gz -C /usr/local/src
mv /usr/local/src/loganalyzer-*/src /var/www/html/loganalyzer
touch /var/www/html/loganalyzer/config.php
chown -Rv apache:apache /var/www/html/loganalyzer/config.php

Proceed with http://server/loganalyzer/

Mysql client profile setup

SQL credentials in .my.cnf

echo "[client]" > ~/.my.cnf
echo "password=secretpassword3" >> ~/.my.cnf
echo "port=3306" >> ~/.my.cnf
echo "user=syslogmaster" >> ~/.my.cnf
echo "socket=/var/lib/mysql/mysql.sock" >> ~/.my.cnf
echo "default-character-set=utf8" >> ~/.my.cnf

Script for cleaning logs

Keep logs for 20 days only but AUTH facility logs forever.

echo "mysql -Bs Syslog -e \"DELETE FROM Syslog.SystemEvents WHERE DeviceReportedTime <= NOW() - INTERVAL 20 DAY AND \\\`Facility\\\` NOT LIKE 'AUTH';\"" > /usr/local/bin/rsyslog_mysql_cleanup.sh
echo "mysql -Bs Syslog -e \"DELETE FROM Syslog.php_log WHERE DeviceReportedTime <= NOW() - INTERVAL 20 DAY;\"" >> /usr/local/bin/rsyslog_mysql_cleanup.sh
chmod 750 /usr/local/bin/rsyslog_mysql_cleanup.sh

Cronjob

Cleanup every 30 minutes.

echo "*/30 * * * * root /bin/sh /usr/local/bin/rsyslog_mysql_cleanup.sh" >> /etc/crontab
systemctl restart crond

Rsyslog clients setup

rsyslog clients in /etc/rsyslog.d/forwarding.conf:

$PreserveFQDN on
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList   # run asynchronously
$ActionResumeRetryCount -1    # infinite retries if host is down
*.* @@rsyslog.loc.example.com:514
:syslogtag, :omusrmsg:startswith, :omusrmsg:php stop

PS! be sure to setup your own passwords

Other Related Posts:

Grafana and Zabbix 3.4 setup on ubuntu

Zabbix Install

Php installation

sudo apt update
sudo apt dist-upgrade
sudo apt install php7.0-xml php7.0-bcmath php7.0-mbstring

Add repository

Setup the repository.

wget http://repo.zabbix.com/zabbix/3.4/ubuntu/pool/main/z/zabbix-release/zabbix-release_3.4-1+xenial_all.deb
sudo dpkg...

Read more

20th Jan 2019

MariaDB setup on centos 7

Update your system:

sudo yum update

Install and Start MariaDB

sudo yum install mariadb-server

Enable MariaDB to start on boot and then start the service:

sudo systemctl enable mariadb
sudo systemctl start mariadb

MariaDB will bind to localhost (127.0.0.1) by default. For informat...

Read more

20th Jan 2019