Install Or Upgrade To Latest Stable Version Of Rsyslog On CentOS 5 And 6

Follow me on Twitter

This tutorial shows how you can install new generation of syslog servers by using Rsyslog on CentOS 5. It also shows you how to upgrade obsolete Rsyslog 4.0 on CentOS 6. According to Rsyslog web site (www.rsyslog.com), Rsyslog is an enhanced syslogd supporting, among others, MySQL, PostgreSQL, failover log destinations, syslog/tcp, fine grain output format control, high precision timestamps, queued operations and the ability to filter on any message part. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user.

Goals

This tutorial shows how you can compile and install latest stable version of Rsyslog on CentOS 5.0 and CentOS 6.0 . I do not issue any guarantee that this will work for you!

Enabling Additional Repositories (For CentOS 5.x ONLY)

If you are using CentOS 5.x then you need to enable extra repository for packages which is not available on regular CentOS repositories. we can enable this repository as follows:

Note: Run the following commands on CentOS 5.x ONLY

#########
# Warning! Run the following command on CentOS 5.x x86_64 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

#########
# Warning! Run the following command on CentOS 5.x i386 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm

#########
# Warning! Run the following command on both CentOS 5.x i386 and x86_64
#########

rpm -ivh epel-release-5-4.noarch.rpm

Enabling Additional Repositories (For CentOS 6.x ONLY)

If you are using CentOS 6.x then you need to enable extra repository for packages which is not available on regular CentOS repositories. you can enable this repository as follows:

Note: Run the following commands on CentOS 6.x ONLY

#########
# Warning! Run the following command on CentOS 6.x x86_64 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-6.noarch.rpm

#########
# Warning! Run the following command on CentOS 6.x i386 ONLY
#########

wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-6.noarch.rpm

#########
# Warning! Run the following command on both CentOS 6.x i386 and x86_64
#########

rpm -ivh epel-release-6-6.noarch.rpm

Pre-Installation (Both CentOS 5 And 6)

Install required packages using YUM command:

yum install gcc glibc-devel glibc-headers kernel-headers libgomp cpp glibc glibc-common libgcc nscd make
yum install zlib zlib-devel pcre pcre-devel mysql-server mysql-devel gnutls gnutls-devel gnutls-utils
yum install libxml2-devel net-snmp net-snmp-devel net-snmp-libs net-snmp-perl net-snmp-utils libxml2
yum install libnet libnet-devel --disablerepo=* --enablerepo=epel

Usually CentOS installs all the dependent packages BUT, in some cases, you may also need the following packages:

yum install beecrypt beecrypt-devel e2fsprogs-devel
yum install elfutils-devel elfutils-devel-static elfutils-libelf-devel elfutils-libelf-devel-static elfutils-libs
yum install keyutils-libs-devel krb5-devel libgcrypt-devel libgpg-error-devel libselinux-devel libsepol-devel
yum install lm_sensors lm_sensors-devel mysql nspr-devel nss-devel openssl-devel perl-DBD-MySQL perl-DBI rpm-devel sqlite-devel
yum install e2fsprogs e2fsprogs-libs krb5-libs krb5-workstation libgcrypt libselinux libselinux-python libselinux-utils
yum install nspr nss nss-tools openssl popt rpm rpm-libs rpm-python

Download Additional Package (Both CentOS 5 And 6)

librelp (Reliable Event Logging Protocol Library) is an easy to use library for the RELP protocol. RELP in turn provides reliable event logging over the network. RELP (and hence) librelp assures that no message is lost, not even when connections break and a peer becomes unavailable. Please note that RELP is a general-purpose, extensible logging protocol. Even though it was designed to solve the urgent need of rsyslog-to-rsyslog communication, RELP supports many more applications.

Note: if you are running a 64-bit system then add --libdir=/usr/lib64 to the end of ./configure command

cd /tmp
wget http://libestr.adiscon.com/files/download/libestr-0.1.2.tar.gz
tar -xvf libestr-0.1.2.tar.gz
cd libestr-0.1.2
./configure --prefix=/usr
make
make install

cd /tmp
wget http://www.libee.org/files/download/libee-0.4.1.tar.gz
tar -xvf libee-0.4.1.tar.gz
cd libee-0.4.1
./configure --prefix=/usr
make
make install

cd /tmp
wget http://download.rsyslog.com/librelp/librelp-1.0.0.tar.gz
tar -xvf librelp-1.0.0.tar.gz
cd librelp-1.0.0
./configure --prefix=/usr
make
make install

Download Rsyslog Package

At the time of writing this tutorial, I find rsyslog 5.8.12 is latest stable version of Rsyslog which supports most of the good features you might need.

cd /tmp
wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.8.12.tar.gz
tar -xvf rsyslog-5.8.12.tar.gz
cd rsyslog-5.8.12

Compile And Install Rsyslog

For more information about options which are available in Rsyslog , you can run

./configure --help

The following command enable almost all the rsyslog feature such as Compression, Multithreading, MySql, SNMP, Mail, RELP support and etc.

./configure \
--prefix= --enable-regexp \
--enable-zlib --enable-pthreads --enable-klog \
--enable-inet --enable-unlimited-select --enable-debug --enable-rtinst \
--enable-memcheck --enable-diagtools --enable-mysql --enable-snmp \
--enable-gnutls --enable-rsyslogrt --enable-rsyslogd --enable-extended-tests \
--enable-mail --enable-valgrind --enable-relp --enable-testbench \
--enable-pmlastmsg --enable-imptcp --enable-omruleset \
--enable-imdiag --enable-imfile --enable-omstdout --enable-omdbalerting \
--enable-omuxsock --enable-imtemplate --enable-omtemplate --enable-omudpspoof \
--enable-omprog --enable-impstats --enable-mmsnmptrapd
make
make install

Attention: --prefix= tells the system to install rsyslog on /sbin folder. Its very important in CentOS 6.0

Post Installation

mkdir -p /etc/rsyslog.d/
mkdir -p /var/spool/rsyslog
chmod 755 /var/spool/rsyslog

#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########

cp /etc/syslog.conf /etc/rsyslog.d/syslog.conf
rpm -ev --nodeps sysklogd
touch /etc/rsyslog.conf
chmod 644 /etc/rsyslog.conf

#########
# Warning! Run the following commands on CentOS 6.x ONLY
#########

cp /etc/rsyslog.conf /etc/rsyslog.d/syslog.conf
vi /etc/rsyslog.d/syslog.conf

#Open syslog.conf file and CUT ALL LINES BEFORE #### RULES #### AND AFTER ### begin forwarding rule ###

It is highly recommended to use the new syntax exclusively.
Change "*.emerg *" to "*.emerg :omusrmsg:*"

Rsyslog Configuration

vi /etc/init.d/rsyslog

#rsyslog v5 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so    # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so      # provides kernel logging support (previously done by rklogd)
$ModLoad immark.so     # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerAddress *
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp.so  
#$InputTCPServerRun 514
#$ModLoad imrelp.so
#$InputRELPServerRun 20514 
#ModLoad ommail.so 
#$ActionMailSMTPServer mail.example.net
#$ActionMailFrom rsyslog@example.net
#$ActionMailTo operator@example.net
#$ActionMailTo admin@example.net
#$template mailSubject,"disk problem on %hostname%"
#$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'"
#$ActionMailSubject mailSubject
#$ActionExecOnlyOnceEveryInterval 21600
#if $msg contains 'hard disk fatal failure' then :ommail:;mailBody
#### GLOBAL DIRECTIVES ####
$umask 0000
$DirCreateMode 0640
$FileCreateMode 0640
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog
$ActionQueueType LinkedList      
$ActionQueueFileName queue       
$ActionResumeRetryCount -1       
$ActionQueueSaveOnShutdown on
$MainMsgQueueMaxFileSize 100M  
$ActionQueueMaxFileSize 5M     
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required, 
# not useful and an extreme performance hit
#$ActionFileEnableSync on
#### START OF RULES ####
$IncludeConfig /etc/rsyslog.d/*.conf
#### END OF RULES ####
#### Forward via TCP with maximum compression: ####
#$AllowedSender TCP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.*       @@(z9)192.168.x.x:514
#### Forward via UDP with maximum compression: ####
#$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com
#*.*       @(z9)192.168.x.x:514
#### Forward via RELP Protocol : ####
#$ModLoad omrelp.so
#*.*      :omrelp:192.168.x.x:20514
#$ModLoad ommysql.so
#*.*      :ommysql:127.0.0.1,Syslog,rsyslog,your-mysql-password

vi /etc/rsyslog.d/syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg 						:omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

Configure Init Script

vi /etc/init.d/rsyslog

#!/bin/bash
#
# rsyslog        Starts rsyslogd/rklogd.
#
# chkconfig: 2345 12 88
# description: Syslog is the facility by which many daemons use to log \
# messages to various system log files.  It is a good idea to always \
# run rsyslog.
### BEGIN INIT INFO
# Provides: $syslog
# Required-Start: $local_fs
# Required-Stop: $local_fs
# Default-Start:  2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Enhanced system logging and kernel message trapping daemons
# Description: Rsyslog is an enhanced multi-threaded syslogd supporting, 
#              among others, MySQL, syslog/tcp, RFC 3195, permitted 
#              sender lists, filtering on any message part, and fine 
#              grain output format control.
### END INIT INFO
# Source function library.
. /etc/init.d/functions
RETVAL=0
PIDFILE=/var/run/syslogd.pid
prog=rsyslog
exec=/sbin/rsyslogd
lockfile=/var/lock/subsys/$prog
# Source config
if [ -f /etc/sysconfig/$prog ] ; then
    . /etc/sysconfig/$prog
fi
start() {
        [ -x $exec ] || exit 5
        umask 077
        echo -n $"Starting system logger: "
        daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && touch $lockfile
        return $RETVAL
}
stop() {
        echo -n $"Shutting down system logger: "
        killproc -p "$PIDFILE" $exec
        RETVAL=$?
        echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
        return $RETVAL
}
reload()  {
    RETVAL=1
    syslog=$(cat "${PIDFILE}" 2>/dev/null)
    echo -n "Reloading system logger..."
    if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then
        kill -HUP "$syslog";
        RETVAL=$?
    fi
    if [ $RETVAL -ne 0 ]; then
        failure
    else
        success
    fi
    echo
    return $RETVAL
}
rhstatus() {
        status -p "$PIDFILE" $exec
}
restart() {
        stop
        start
}
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        restart
        ;;
  reload|force-reload)
        reload
        ;;
  status)
        rhstatus
        ;;
  condrestart|try-restart)
        rhstatus >/dev/null 2>&1 || exit 0
        restart
        ;;
  *)
        echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}"
        exit 2
esac
exit $?

Prepare MySQL Database

Installing mySQL is Mandatory if you want to save syslog records to db otherwise skip this part

mysql -u root -p < plugins/ommysql/createDB.sql
mysql -u root -p mysql
GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'your-mysql-password';
flush privileges;

Configure Rsyslog Daemon

echo 'SYSLOGD_OPTIONS="-c5"' > /etc/sysconfig/rsyslog
chmod 755 /etc/init.d/rsyslog

#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########

chkconfig --add rsyslog
chkconfig rsyslog on
touch /etc/logrotate.d/syslog
chmod 644 /etc/logrotate.d/syslog

Rsyslog Log Rotate

vi /etc/logrotate.d/syslog

/var/log/boot.log
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler
{
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Start Rsyslog

chmod 644 /etc/rsyslog.conf
service rsyslog start
tail -f /var/log/messages

Test Rsyslog

logger "this is a test message"
logger -p local0.info -t testtag "this is a test message"

Links

Iran Honeynet Project: http://www.honeynet.ir/
Rsyslog Project: http://www.rsyslog.com/
CentOS: http://www.centos.org/