syslog-ng
Syslog-ng is an opensource implementation of the syslog protocol. It is possible to store Logfiles on the mainserver (tjener). By default Skolelinux uses rsyslog for this job, but syslog-ng has some pros, e. g. to define filters, etc..
This ?HowTo describes, how to store the authetificationfiles of Windows and Linuxclients on tjener. So you can serach which user loged-in to which client. The other logs stay on the clients.
Contents
Installation and configuration of tjener
On tjener, you have to install syslog-ng using apt:
apt-get install syslog-ng
Attention: This will remove rsyslog!
To configure syslog-ng you have to edit /etc/syslog-ng/syslog-ng.conf with your favorite text editor. At first you add in section options (near line 75)
keep_hostname(yes); long_hostnames(on); create_dirs(yes);
Then you apply a new source (defines the protocol to use, e. g.)
source clients { unix-stream("/dev/log"); internal(); tcp(ip(0.0.0.0) port(514) max_connections(1000)); udp(); };
Then you have to add a new destination for the logs achieve from the clients. To get a better substructure you can use variables like $YEAR, $MONTH, $DAY and $HOST:
destination clientslogs { file("/var/log/debian-edu/$YEAR$MONTH$DAY/$HOST.auth"); };
At least you bring both together, by adding a new section log:
log { source(clients); destination(clientslogs); };
After this, you have to restart syslog-ng:
/etc/init.d/syslog-ng restart
You can download a complete configurationsfile at the end of this site.
Configure the clients
Linux
On the Debianclients you use
apt-get install syslog-ng
to install syslog-ng. In the configurationsfile /etc/syslog-ng/syslog-ng.conf you add a new destination, even the mainserver
destination tjener_syslog-ng { tcp( "10.0.2.2" port(514) ); };
After this, you define new filter, this filter collects all logs belong to the authentification (s_all includes all logs):
filter tjener_auth { facility(auth, authpriv) and match("pam_unix"); };
At least you define a new log, to bring all together:
log { source(s_all); filter(tjener_auth); destination(tjener_syslog-ng); };
Restart the syslog-ng
/etc/init.d/syslog-ng restart
You can download a complete configurationsfile for a Linuxclient at the end of this site.
Windows
For Windows you can use the Snare Agent for Windows [1]. It's licensed under the terms of the gpl. If you want to install him manually, you can configure him, using the webinterface. Point your favorite webbrowser to http://localhost:6161, changee to Networkconfiguration and edit the IP-address of tjener (10.0.2.2) and the port (514). Under Objectives Configuration you can define your logs. Logs for the authentification are defined by default, you can edit or remove other. If you want to install snare unattended, you can use silent switches:
"SnareSetup-3.1.7-MultiArch.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
For configuration you can add this values to the specified key:
[HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService\Network] "Destination"="10.0.2.2" "DestPort"=dword:00000202
At the end of this site you can download the file snare.reg, which you can import to the registry using
REGEDIT.EXE /S snare.reg
After this you have to restart the service or the maschine.
Cronjob to remove old logs
By and by you get a lot of logfiles stored on tjener. You can add a cronjob, which removes logfiles they are older then 30 years. If you use the syslog-ng configuration below, it's easy, because the the subfolders in /var/logs/debian-edu are named with the Year, Month and Day.
Create a new file rm_logs.sh in /root/ and make it executeable, using chmod +x rm_logs.sh. Copy this into the contents of this file:
#!/bin/bash path=/var/log/debian-edu rmdate=`date --date '-30 days' +%Y%m%d` # date for remove declare -i rmdate # convert rmdate to integer # for subfolder in `ls -F $path |grep "/" | sed 's/\///'` do declare -i subfolder # convert subfoldername to integer if test $subfolder -lt $rmdate then rm -fr $path/$subfolder/ # remove matching subfolders fi done exit 0
After this type
crontab -e
and you get this in your default texteditor
# m h dom mon dow command #--------------------------------
The first five columns define, when the commmand from column 6 should be execute. Change this to
# m h dom mon dow command #-------------------------------- SHELL=/bin/bash PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/X11 #--------------------------------- 5 0 * * * /root/rm_logs.sh > /dev/null #----------------------------------
This means, that the script /root/rm_logs.sh will be execute every day 5 minutes after midnight.
View the Logfiles
search with grep
On the console you can use grep, to search your logfiles. E. g.
grep -rli "john" /var/log/debian-edu/*
delivers a list with all files containing "john". Given that the name of the folder contains the date and the filename contains the hostname, you know when and on which client john was loged-in. Using | you can bind two or more searches. The command
grep -rli "john" /var/log/debian-edu/* | grep -rli "static01" /var/log/debian-edu/*
delivers all files matching "john" and "static01".
== Using MySQL-database and phpMyAdmin Alternativly you can use a MySQL-database (using a pipe) and you can search this database with phpMyAdmin. In [2] you can find a HowTo for this.
Web-based Loganalyzer
There several OpenSource tools for viewing and analysing logfiles, e. g.
Octopussy: http://www.octopussy.pm
Logzilla: http://code.google.com/p/logzilla/
On both sides you can find a good installationguide. Because of the fact, that both programms analyze the logfiles all the time, they need a lot of RAM
Downloads
syslog-ng.conf für den Server: |
|
syslog-ng.conf für den Linux-Client: |
|
Registry für Windows-Clients: |
|
Script zum Löschen alter Logfiles: |
Links
[2] http://chaos.untouchable.net/index.php/HOWTO_setup_syslog-ng_to_log_to_mysql
[3] http://www.pcwdld.com/free-syslog-servers-windows-and-linux