On this page
- Install Or Upgrade To Latest Stable Version Of Rsyslog On CentOS 5 And 6
- Goals
- Enabling Additional Repositories (For CentOS 5.x ONLY)
- Enabling Additional Repositories (For CentOS 6.x ONLY)
- Pre-Installation (Both CentOS 5 And 6)
- Download Additional Package (Both CentOS 5 And 6)
- Download Rsyslog Package
- Compile And Install Rsyslog
- Post Installation
- Rsyslog Configuration
- Configure Init Script
- Prepare MySQL Database
- Configure Rsyslog Daemon
- Rsyslog Log Rotate
- Start Rsyslog
- Test Rsyslog
- Links
Install Or Upgrade To Latest Stable Version Of Rsyslog On CentOS 5 And 6
This tutorial shows how you can install new generation of syslog servers by using Rsyslog on CentOS 5. It also shows you how to upgrade obsolete Rsyslog 4.0 on CentOS 6. According to Rsyslog web site (www.rsyslog.com), Rsyslog is an enhanced syslogd supporting, among others, MySQL, PostgreSQL, failover log destinations, syslog/tcp, fine grain output format control, high precision timestamps, queued operations and the ability to filter on any message part. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user.
Goals
This tutorial shows how you can compile and install latest stable version of Rsyslog on CentOS 5.0 and CentOS 6.0 . I do not issue any guarantee that this will work for you!
Enabling Additional Repositories (For CentOS 5.x ONLY)
If you are using CentOS 5.x then you need to enable extra repository for packages which is not available on regular CentOS repositories. we can enable this repository as follows:
Note: Run the following commands on CentOS 5.x ONLY
#########
# Warning! Run the following command on CentOS 5.x x86_64 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
#########
# Warning! Run the following command on CentOS 5.x i386 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
#########
# Warning! Run the following command on both CentOS 5.x i386 and x86_64
#########
rpm -ivh epel-release-5-4.noarch.rpm
Enabling Additional Repositories (For CentOS 6.x ONLY)
If you are using CentOS 6.x then you need to enable extra repository for packages which is not available on regular CentOS repositories. you can enable this repository as follows:
Note: Run the following commands on CentOS 6.x ONLY
#########
# Warning! Run the following command on CentOS 6.x x86_64 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-6.noarch.rpm
#########
# Warning! Run the following command on CentOS 6.x i386 ONLY
#########
wget http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-6.noarch.rpm
#########
# Warning! Run the following command on both CentOS 6.x i386 and x86_64
#########
rpm -ivh epel-release-6-6.noarch.rpm
Pre-Installation (Both CentOS 5 And 6)
Install required packages using YUM command:
yum install gcc glibc-devel glibc-headers kernel-headers libgomp cpp glibc glibc-common libgcc nscd make
yum install zlib zlib-devel pcre pcre-devel mysql-server mysql-devel gnutls gnutls-devel gnutls-utils
yum install libxml2-devel net-snmp net-snmp-devel net-snmp-libs net-snmp-perl net-snmp-utils libxml2
yum install libnet libnet-devel --disablerepo=* --enablerepo=epel
Usually CentOS installs all the dependent packages BUT, in some cases, you may also need the following packages:
yum install beecrypt beecrypt-devel e2fsprogs-devel
yum install elfutils-devel elfutils-devel-static elfutils-libelf-devel elfutils-libelf-devel-static elfutils-libs
yum install keyutils-libs-devel krb5-devel libgcrypt-devel libgpg-error-devel libselinux-devel libsepol-devel
yum install lm_sensors lm_sensors-devel mysql nspr-devel nss-devel openssl-devel perl-DBD-MySQL perl-DBI rpm-devel sqlite-devel
yum install e2fsprogs e2fsprogs-libs krb5-libs krb5-workstation libgcrypt libselinux libselinux-python libselinux-utils
yum install nspr nss nss-tools openssl popt rpm rpm-libs rpm-python
Download Additional Package (Both CentOS 5 And 6)
librelp (Reliable Event Logging Protocol Library) is an easy to use library for the RELP protocol. RELP in turn provides reliable event logging over the network. RELP (and hence) librelp assures that no message is lost, not even when connections break and a peer becomes unavailable. Please note that RELP is a general-purpose, extensible logging protocol. Even though it was designed to solve the urgent need of rsyslog-to-rsyslog communication, RELP supports many more applications.
Note: if you are running a 64-bit system then add --libdir=/usr/lib64 to the end of ./configure command
cd /tmp
wget http://libestr.adiscon.com/files/download/libestr-0.1.2.tar.gz
tar -xvf libestr-0.1.2.tar.gz
cd libestr-0.1.2
./configure --prefix=/usr
make
make install
cd /tmp
wget http://www.libee.org/files/download/libee-0.4.1.tar.gz
tar -xvf libee-0.4.1.tar.gz
cd libee-0.4.1
./configure --prefix=/usr
make
make install
cd /tmp
wget http://download.rsyslog.com/librelp/librelp-1.0.0.tar.gz
tar -xvf librelp-1.0.0.tar.gz
cd librelp-1.0.0
./configure --prefix=/usr
make
make install
Download Rsyslog Package
At the time of writing this tutorial, I find rsyslog 5.8.12 is latest stable version of Rsyslog which supports most of the good features you might need.
cd /tmp
wget http://www.rsyslog.com/files/download/rsyslog/rsyslog-5.8.12.tar.gz
tar -xvf rsyslog-5.8.12.tar.gz
cd rsyslog-5.8.12
Compile And Install Rsyslog
For more information about options which are available in Rsyslog , you can run
./configure --help
The following command enable almost all the rsyslog feature such as Compression, Multithreading, MySql, SNMP, Mail, RELP support and etc.
./configure \
--prefix= --enable-regexp \
--enable-zlib --enable-pthreads --enable-klog \
--enable-inet --enable-unlimited-select --enable-debug --enable-rtinst \
--enable-memcheck --enable-diagtools --enable-mysql --enable-snmp \
--enable-gnutls --enable-rsyslogrt --enable-rsyslogd --enable-extended-tests \
--enable-mail --enable-valgrind --enable-relp --enable-testbench \
--enable-pmlastmsg --enable-imptcp --enable-omruleset \
--enable-imdiag --enable-imfile --enable-omstdout --enable-omdbalerting \
--enable-omuxsock --enable-imtemplate --enable-omtemplate --enable-omudpspoof \
--enable-omprog --enable-impstats --enable-mmsnmptrapd
make
make install
Attention: --prefix= tells the system to install rsyslog on /sbin folder. Its very important in CentOS 6.0
Post Installation
mkdir -p /etc/rsyslog.d/
mkdir -p /var/spool/rsyslog
chmod 755 /var/spool/rsyslog
#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########
cp /etc/syslog.conf /etc/rsyslog.d/syslog.conf
rpm -ev --nodeps sysklogd
touch /etc/rsyslog.conf
chmod 644 /etc/rsyslog.conf
#########
# Warning! Run the following commands on CentOS 6.x ONLY
#########
cp /etc/rsyslog.conf /etc/rsyslog.d/syslog.conf
vi /etc/rsyslog.d/syslog.conf
#Open syslog.conf file and CUT ALL LINES BEFORE #### RULES #### AND AFTER ### begin forwarding rule ###
It is highly recommended to use the new syntax exclusively.
Change "*.emerg *" to "*.emerg :omusrmsg:*"
Rsyslog Configuration
vi /etc/init.d/rsyslog
#rsyslog v5 config file # if you experience problems, check # http://www.rsyslog.com/troubleshoot for assistance #### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) $ModLoad immark.so # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp.so #$UDPServerAddress * #$UDPServerRun 514 # Provides TCP syslog reception #$ModLoad imtcp.so #$InputTCPServerRun 514 #$ModLoad imrelp.so #$InputRELPServerRun 20514 #ModLoad ommail.so #$ActionMailSMTPServer mail.example.net #$ActionMailFrom [email protected] #$ActionMailTo [email protected] #$ActionMailTo [email protected] #$template mailSubject,"disk problem on %hostname%" #$template mailBody,"RSYSLOG Alert\r\nmsg='%msg%'" #$ActionMailSubject mailSubject #$ActionExecOnlyOnceEveryInterval 21600 #if $msg contains 'hard disk fatal failure' then :ommail:;mailBody #### GLOBAL DIRECTIVES #### $umask 0000 $DirCreateMode 0640 $FileCreateMode 0640 $RepeatedMsgReduction on $WorkDirectory /var/spool/rsyslog $ActionQueueType LinkedList $ActionQueueFileName queue $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on $MainMsgQueueMaxFileSize 100M $ActionQueueMaxFileSize 5M $ActionQueueMaxDiskSpace 1g $ActionQueueSaveOnShutdown on # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on #### START OF RULES #### $IncludeConfig /etc/rsyslog.d/*.conf #### END OF RULES #### #### Forward via TCP with maximum compression: #### #$AllowedSender TCP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com #*.* @@(z9)192.168.x.x:514 #### Forward via UDP with maximum compression: #### #$AllowedSender UDP, 127.0.0.1, 192.0.2.0/24, [::1]/128, *.example.net, somehost.example.com #*.* @(z9)192.168.x.x:514 #### Forward via RELP Protocol : #### #$ModLoad omrelp.so #*.* :omrelp:192.168.x.x:20514 #$ModLoad ommysql.so #*.* :ommysql:127.0.0.1,Syslog,rsyslog,your-mysql-password
vi /etc/rsyslog.d/syslog.conf
# Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg :omusrmsg:* # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
Configure Init Script
vi /etc/init.d/rsyslog
#!/bin/bash # # rsyslog Starts rsyslogd/rklogd. # # chkconfig: 2345 12 88 # description: Syslog is the facility by which many daemons use to log \ # messages to various system log files. It is a good idea to always \ # run rsyslog. ### BEGIN INIT INFO # Provides: $syslog # Required-Start: $local_fs # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Enhanced system logging and kernel message trapping daemons # Description: Rsyslog is an enhanced multi-threaded syslogd supporting, # among others, MySQL, syslog/tcp, RFC 3195, permitted # sender lists, filtering on any message part, and fine # grain output format control. ### END INIT INFO # Source function library. . /etc/init.d/functions RETVAL=0 PIDFILE=/var/run/syslogd.pid prog=rsyslog exec=/sbin/rsyslogd lockfile=/var/lock/subsys/$prog # Source config if [ -f /etc/sysconfig/$prog ] ; then . /etc/sysconfig/$prog fi start() { [ -x $exec ] || exit 5 umask 077 echo -n $"Starting system logger: " daemon --pidfile="$PIDFILE" $exec -i "$PIDFILE" $SYSLOGD_OPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch $lockfile return $RETVAL } stop() { echo -n $"Shutting down system logger: " killproc -p "$PIDFILE" $exec RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f $lockfile return $RETVAL } reload() { RETVAL=1 syslog=$(cat "${PIDFILE}" 2>/dev/null) echo -n "Reloading system logger..." if [ -n "${syslog}" ] && [ -e /proc/"${syslog}" ]; then kill -HUP "$syslog"; RETVAL=$? fi if [ $RETVAL -ne 0 ]; then failure else success fi echo return $RETVAL } rhstatus() { status -p "$PIDFILE" $exec } restart() { stop start } case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload|force-reload) reload ;; status) rhstatus ;; condrestart|try-restart) rhstatus >/dev/null 2>&1 || exit 0 restart ;; *) echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status}" exit 2 esac exit $?
Prepare MySQL Database
Installing mySQL is Mandatory if you want to save syslog records to db otherwise skip this part
mysql -u root -p < plugins/ommysql/createDB.sql
mysql -u root -p mysql
GRANT ALL ON Syslog.* TO rsyslog@localhost IDENTIFIED BY 'your-mysql-password';
flush privileges;
Configure Rsyslog Daemon
echo 'SYSLOGD_OPTIONS="-c5"' > /etc/sysconfig/rsyslog
chmod 755 /etc/init.d/rsyslog
#########
# Warning! Run the following commands on CentOS 5.x ONLY
#########
chkconfig --add rsyslog
chkconfig rsyslog on
touch /etc/logrotate.d/syslog
chmod 644 /etc/logrotate.d/syslog
Rsyslog Log Rotate
vi /etc/logrotate.d/syslog
/var/log/boot.log /var/log/cron /var/log/maillog /var/log/messages /var/log/secure /var/log/spooler { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript }
Start Rsyslog
chmod 644 /etc/rsyslog.conf
service rsyslog start
tail -f /var/log/messages
Test Rsyslog
logger "this is a test message"
logger -p local0.info -t testtag "this is a test message"
Links
Iran Honeynet Project: http://www.honeynet.ir/
Rsyslog Project: http://www.rsyslog.com/
CentOS: http://www.centos.org/