Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centralized System Logging With A Database Manitoba UNIX User Group Kevin McGregor February 13, 2007.

Published byMatilda Anthony Modified over 8 years ago

Similar presentations

Presentation on theme: "Centralized System Logging With A Database Manitoba UNIX User Group Kevin McGregor February 13, 2007."— Presentation transcript:

1 Centralized System Logging With A Database Manitoba UNIX User Group Kevin McGregor February 13, 2007

2 The Situation Multiple hosts and devices are logging stuff Log files are scattered Reports and analyses are being requested

3 Requirements And Constraints I’d prefer free software (gratis/libre) Open standards Must work with available equipment

4 My Solution Send information from all syslog devices to a syslog server, which stores the logs in a database for future reporting Servers run Ubuntu Server 6.06.1 LTS PostgreSQL 8.1 Syslog-ng

5 What Is syslog? Three things, really:  A method of general system logging on UNIX via system calls  A log format  A network log transmission mechanism with three roles: syslog device  A source of syslog messages syslog relay  Relays some or all messages to a syslog server syslog server  Final destination of syslog messages  Note: Many ways to structure the three roles

6 Why syslog-ng? Use TCP along with UDP Filtering based on message content Support for encryption, tunneling, firewalls Can run in chroot environment

7 Which Databases Can We Use? Using this method, any database with a Linux client:  MySQL  PostgreSQL  SQL Server  Sybase ASE  Oracle  DB2  Others

8 Set Up A Test Machine For Windows XP, get and install Kiwi SyslogGen for testing, pgAdmin for general database management (both free) For this demo, add to c:\windows\system32\drivers\etc\hosts: 192.168.182.128loghost 192.168.182.129db

9 Loghost Configuration (1 of 3) Install syslog-ng, postgresql-client-8.1, openssh-server, openntp Check logs (/var/log/{daemon.log,syslog}) Create pipe (“ mkfifo /var/run/pgsql.pipe ” or “ mknod /var/run/pgsql.pipe p ”) chmod 700 /var/run/pgsql.pipe

10 Loghost Configuration (2 of 3) Add to /etc/syslog-ng/syslog-ng.conf: source s_net { udp(); }; destination dp_pgsql { pipe( “/var/run/pgsql.pipe” template(“INSERT INTO logs (rcvd,sent,fac,lev,pri,tag,host,sourceip,program,msg) VALUES( ‘$R_ISODATE’, ’$S_ISODATE’, ’$FACILITY’, ’$LEVEL’, ’$PRI’, ’$TAG’, ’$HOST’, ’$SOURCEIP’, ’$PROGRAM’, ’$MSGONLY’ );\n”) template_escape(yes) ); }; log { source(s_net); destination(dp_pgsql); };

11 Loghost Configuration (3 of 3) Signal syslog-ng to re-read syslog-ng.conf  kill –HUP Check pipe contents:  cat </var/run/pgsql.pipe Send a test log message to loghost with SyslogGen

12 Database Host Configuration (1 of 2) Install the necessary software apt-get install postgresql-8.1 openssh-server openntp Configure PostgreSQL: Add to /etc/postgresql/8.1/main/pg_hba.conf: host syslogdemo sysloguser 192.168.182.0/24 trust host all postgres 192.168.182.0/24 trust Change in /etc/postgresql/8.1/main/postgresql.conf: listen addresses = ‘*’

13 Database Host Configuration (2 of 2) Set up the database, user, table and permissions: su postgres createdb syslogdemo psql –d syslogdemo create role sysloguser login; CREATE TABLE logs ( rcvd timestamp with time zone, sent timestamp with time zone, fac character varying(10), lev character varying(10), pri integer, tag character(2), host character varying(32), sourceip inet, program text, msg text, entry serial NOT NULL, PRIMARY KEY (entry) ) ; ALTER TABLE logs OWNER TO postgres; GRANT ALL ON TABLE logs TO postgres; GRANT INSERT ON TABLE logs TO sysloguser; GRANT UPDATE ON SEQUENCE logs_entry_seq TO sysloguser;

14 Back To Loghost Add to inittab: sl:2345:respawn:/usr/local/bin/syslog-ng-pgsql-pipe.sh Create /usr/local/bin/syslog-ng-pgsql-pipe.sh: [[ -p /var/run/pgsql.pipe ]] || /bin/mknod /var/run/pgsql.pipe p exec /usr/bin/psql –U sysloguser –d syslogdemo –h db </var/run/pgsql.pipe Don’t forget to chmod 700 /usr/local/bin/syslog-ng-pgsql-pipe.sh Add to loghost’s /etc/hosts: 192.168.182.129 db Then ‘telinit q’ to have init re-read inittab and start everything going.

15 Issues, Concerns, Enhancements Database security (Research this) Database structure/design (See links) Database optimization (PostgreSQL defaults not good for large number of records) Web reporting (Probably Apache/PHP) Log Squid-cache, Apache (Large amount of data!)

16 Links Syslog-ng (http://www.balabit.com/products/syslog_ng/)http://www.balabit.com/products/syslog_ng/ PostgreSQL (http://www.postgresql.org/)http://www.postgresql.org/ Ubuntu (http://www.ubuntu.com/)http://www.ubuntu.com/ Kiwi Logger (http://www.kiwisyslog.com/index.php)http://www.kiwisyslog.com/index.php Snare EventLog Agent for Windows (http://www.intersectalliance.com/projects/SnareWindows/)http://www.intersectalliance.com/projects/SnareWindows/ pgAdmin (http://www.pgadmin.org/)http://www.pgadmin.org/ VMware (http://www.vmware.com/)http://www.vmware.com/ RFC 3164 (http://www.ietf.org/rfc/rfc3164.txt)http://www.ietf.org/rfc/rfc3164.txt Some sites you’d find via Google anyway: http://www.campin.net/syslog-ng/faq.html http://ben.muppethouse.com/SYSLOG-DOC.html http://www.kdough.net/docs/syslog_postgresql/ http://www.whitemiceconsulting.com/node/103 http://community.seattleserver.com/viewtopic.php?p=33& http://www.campin.net/syslog-ng/faq.html http://ben.muppethouse.com/SYSLOG-DOC.html http://www.kdough.net/docs/syslog_postgresql/ http://www.whitemiceconsulting.com/node/103 http://community.seattleserver.com/viewtopic.php?p=33&

Download ppt "Centralized System Logging With A Database Manitoba UNIX User Group Kevin McGregor February 13, 2007."

Similar presentations

Everything under control ©ANT Group 2008 Garda System.

Everything under control ©ANT Group 2008 Garda System.
iRequestManager for MediMizer X3

iRequestManager for MediMizer X3
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.

ActiveXperts Network Monitor Monitors servers, workstations and devices for availability Alerts and corrects.
Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated 9-18-08.

Hands-On Ethical Hacking and Network Defense Chapter 5 Port Scanning Last updated
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Lesson 22 – Introduction to Linux Systems Administration.

Lesson 22 – Introduction to Linux Systems Administration.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.

Security SIG: Introduction to Tripwire Chris Harwood John Ives.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 8 Introduction to Printers in a Windows Server 2008 Network.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
SYST 28043 Web Technologies SYST 28043 Web Technologies Installing a Web Server (XAMPP)

SYST Web Technologies SYST Web Technologies Installing a Web Server (XAMPP)
Linux Operations and Administration

Linux Operations and Administration
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.

Va-scanCopyright 2002, Marchany Securing Solaris Servers Randy Marchany.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.

Similar presentations

Ads by Google