CentOS 6: Install Remote Logging Server

(rsyslog)
In my office network, we have a lot of small devices like router and switches in our environment.
My boss wants me to have a report on all of our network device for auditing purposes. To
accomplish this objective, I need to have a server which run as logging server, accepting various
type of logging from several devices. This method will ease up my auditing trail in one
centralized location.
I will use my development server which run on CentOS to receive logs from my Mikrotik router,
192.168.0.1 as picture below:

I am using following variables:

Rsyslog OS: CentOS 6.0 64bit
Rsyslog Server IP: 192.168.0.160
Router hostname: router.mynetwork.org
Router IP: 192.168.0.1

Rsyslog Server
1. Install Rsyslog package:
$ yum install rsyslog -y

2. Make sure you have following line uncommented in /etc/rsyslog.conf:

$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imudp.so
$UDPServerRun 514
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24
$AllowedSender TCP, 192.168.0.1

3. We need to add following rules into /etc/rsyslog.conf so logs received from the router will be
output into a file called /var/log/router.log:
:fromhost-ip,isequal,"192.168.0.1"

/var/log/router.log

There are a lot of options you can use to define your remote logging rules, which you can refer to
this page: http://www.rsyslog.com/doc/property_replacer.html
4. Open firewall port 514 on TCP and UDP:
$ iptables -A INPUT -m tcp -p tcp --dport 514 -j ACCEPT
$ iptables -A INPUT -m udp -p udp --dport 514 -j ACCEPT

5. Restart Rsyslog daemon to apply the configuration:

$ service rsyslog restart

6. We also need to rotate this log file so it will need eating up the servers disk space. Create a
new text file called router under /etc/logrotate.d/ directory:
$ vim /etc/logrotate.d/router

And add following line:

/var/log/router.log
{
daily
rotate 5
missingok
notifempty
sharedscripts
postrotate

/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null ||

true
endscript
}

Router (Rsyslog Client)

1. Mikrotik router supports remote logging. I just need to login into the Winbox > System >
Logging and configure Actions as screenshot below:

2. The next thing, is we need to create the rules on which logging level do we want to be sent to
the rsyslog server. Go to Winbox > System > Logging and configure Rules as screenshot below:

Testing
Now, the router should send the log remotely to the rsyslog server and we can check the router
logs by running following command:
$ tail -f /var/log/router.log
Jan
Jan
Jan
Jan
Jan
Jan
Jan

8
8
8
8
8
8
8

17:23:28
17:26:09
17:26:09
17:26:23
17:26:40
17:26:49
17:26:50

192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1
192.168.0.1

system,info
system,info
system,info
system,info
system,info
system,info
system,info

log action changed by admin

filter rule changed by admin
filter rule changed by admin
PPP AAA settings changed by admin
L2TP Server settings changed by admin
filter rule changed by admin
filter rule changed by admin

Install LogAnalyzer
LogAnalyzer is a GUI interface to rsyslog and other network event data. It provides easy
browsing, analysis of realtime network events and reporting services.

Let us download and install the latest version:

# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.g

Extract it using command:

# tar zxvf loganalyzer-3.6.5.tar.gz

Move the extracted package to your Apache document root folder.

# mv loganalyzer-3.6.5/src/ /var/www/html/loganalyzer
# mv loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/

Set the file permissions to the following files and run the configure.sh script.
# cd /var/www/html/loganalyzer/
# chmod +x configure.sh secure.sh
# ./configure.sh

The configure.sh command will create a blank php file.

Adjust IPTABLES and SELINUX settings
Now let us allow syslog port 514 through iptables/router:
# vi /etc/sysconfig/iptables

Add the following line:

[...]
-A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
[...]

Restart iptables service:

# service iptables restart

Disable SELINUX:
Edit file /etc/sysconfig/selinux file,
# vi /etc/sysconfig/selinux

Change SELINUX=enforcing to SELINUX=disabled:

SELINUX=disabled

Save and close the file. Reboot your server once to take effect all the changes.

Access LoAnalyzer
Point your web browser to http://ip-address/loganalyser or http://domain-name/loganalyzer
and begin LogAnalyzer installation.
Youll be shown with an Error message that says: Critical Error occurred.
Click on link that says: here.

Click
Next.

Click
Next.

Hereafter you should pay some extra attention. Enter the correct values with correct lower or
upper case.
Click Yes on Enable User Database. Enter the database user name, password and database
name and click Next. Click Yes on Require user to be logged in option.

Click
Next to create rsyslogdb tables.

Click
Next.

Create
a administrative user for LogAnalyzer console. In my case, i create a administrative user sk with
password centos.

Select
MySQL Native in the Source type drop down box and Enter the database name, database
table name, database username and password. Click Next.
Warning: Double check the database name, Table names. Because they are case sensitive.
Refer the screenshots. If you use systemevents in the tablename section instead of

SystemEvents, you wont be able to install loganalyzer. Also make sure the database name,
database username and password are correct as exactly in the /usr/share/doc/rsyslog-mysql5.8.10/createDB.sql file.

Congratulations! Youve successfully installed LogAnalyzer. Click Finish to complete

installation.

Log in
to LogAnalyzer Dashborad

Enter the admin user account details which we created earlier.

Now
the main console screen will open with all log details.
If it shows any message like no syslog data, restart all services once again.
# service rsyslog restart
# service httpd restart
# service mysql restart

Refresh the page again, youll see the log details of your server as shown in the below screenshot.

Configure clients
Configuring client is very easy. All you need to do is just install rsyslog package and add the ryslog
server ip address in the configuration file.
Install rsyslog package in your client systems.
For RHEl/CentOS Clients:
# yum install rsyslog -y

For Debian/Ubuntu Clients:

$ sudo apt-get install rsyslog

Open the rsyslog config file and the rsyslog server details.
# vi /etc/rsyslog.conf

Add Rsyslog server details:

*.*

@@192.168.1.101

and start rsyslog services.

# service rsyslog start
# chkconfig rsyslog on

Now goto rsyslog server and check for client logs.

As you
see in the above screenshot my client sk has been added and log details are shown in the
LogAnalyzer admin console.