syslog-ng


Syslog-ng is an opensource implementation of the syslog protocol. It is possible to store Logfiles on the mainserver (tjener). By default Skolelinux uses rsyslog for this job, but syslog-ng has some pros, e. g. to define filters, etc..

This HowTo describes, how to store the authetificationfiles of Windows and Linuxclients on tjener. So you can serach which user loged-in to which client. The other logs stay on the clients.

Installation and configuration of tjener

On tjener, you have to install syslog-ng using apt:

        apt-get install syslog-ng

Attention: This will remove rsyslog!

To configure syslog-ng you have to edit /etc/syslog-ng/syslog-ng.conf with your favorite text editor. At first you add in section options (near line 75)

        keep_hostname(yes);
        long_hostnames(on);
        create_dirs(yes);

Then you apply a new source (defines the protocol to use, e. g.)

        source clients {
                     unix-stream("/dev/log");
                     internal();
                     tcp(ip(0.0.0.0) port(514) max_connections(1000));
                     udp();
        };

Then you have to add a new destination for the logs achieve from the clients. To get a better substructure you can use variables like $YEAR, $MONTH, $DAY and $HOST:

        destination clientslogs {
                      file("/var/log/debian-edu/$YEAR$MONTH$DAY/$HOST.auth");

        };

At least you bring both together, by adding a new section log:

        log {
              source(clients); destination(clientslogs);
        };

After this, you have to restart syslog-ng:

        /etc/init.d/syslog-ng restart

You can download a complete configurationsfile at the end of this site.

Configure the clients

Linux

On the Debianclients you use

        apt-get install syslog-ng

to install syslog-ng. In the configurationsfile /etc/syslog-ng/syslog-ng.conf you add a new destination, even the mainserver

        destination tjener_syslog-ng {
           tcp( "10.0.2.2" port(514) );
        };

After this, you define new filter, this filter collects all logs belong to the authentification (s_all includes all logs):

        filter tjener_auth { facility(auth, authpriv) and match("pam_unix"); };

At least you define a new log, to bring all together:

        log {
                source(s_all);
                filter(tjener_auth);
                destination(tjener_syslog-ng);
        };

Restart the syslog-ng

        /etc/init.d/syslog-ng restart

You can download a complete configurationsfile for a Linuxclient at the end of this site.

Windows

For Windows you can use the Snare Agent for Windows [1]. It's licensed under the terms of the gpl. If you want to install him manually, you can configure him, using the webinterface. Point your favorite webbrowser to http://localhost:6161, changee to Networkconfiguration and edit the IP-address of tjener (10.0.2.2) and the port (514). Under Objectives Configuration you can define your logs. Logs for the authentification are defined by default, you can edit or remove other. If you want to install snare unattended, you can use silent switches:

"SnareSetup-3.1.7-MultiArch.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-

For configuration you can add this values to the specified key:

[HKEY_LOCAL_MACHINE\SOFTWARE\InterSect Alliance\AuditService\Network]
"Destination"="10.0.2.2"
"DestPort"=dword:00000202

At the end of this site you can download the file snare.reg, which you can import to the registry using

REGEDIT.EXE /S snare.reg

After this you have to restart the service or the maschine.

Cronjob to remove old logs

By and by you get a lot of logfiles stored on tjener. You can add a cronjob, which removes logfiles they are older then 30 years. If you use the syslog-ng configuration below, it's easy, because the the subfolders in /var/logs/debian-edu are named with the Year, Month and Day.

Create a new file rm_logs.sh in /root/ and make it executeable, using chmod +x rm_logs.sh. Copy this into the contents of this file:

        #!/bin/bash
        path=/var/log/debian-edu
        rmdate=`date --date '-30 days' +%Y%m%d`                 # date for remove
        declare -i rmdate                                       # convert rmdate to integer
        #
        for subfolder in `ls -F $path |grep "/" | sed 's/\///'`   
        do
                declare -i subfolder                            # convert subfoldername to integer
                if test $subfolder -lt $rmdate
                        then rm -fr $path/$subfolder/           # remove matching subfolders
                fi
        done
        exit 0

After this type

        crontab -e

and you get this in your default texteditor

        # m h  dom mon dow   command
        #--------------------------------

The first five columns define, when the commmand from column 6 should be execute. Change this to

        # m h  dom mon dow   command
        #--------------------------------
        SHELL=/bin/bash
        PATH=/usr/local/bin:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/bin/X11
        #---------------------------------
        5 0 * * * /root/rm_logs.sh > /dev/null
        #----------------------------------

This means, that the script /root/rm_logs.sh will be execute every day 5 minutes after midnight.

View the Logfiles

search with grep

On the console you can use grep, to search your logfiles. E. g.

        grep -rli "john" /var/log/debian-edu/* 

delivers a list with all files containing "john". Given that the name of the folder contains the date and the filename contains the hostname, you know when and on which client john was loged-in. Using | you can bind two or more searches. The command

        grep -rli "john" /var/log/debian-edu/*  | grep -rli "static01" /var/log/debian-edu/*

delivers all files matching "john" and "static01".

== Using MySQL-database and phpMyAdmin Alternativly you can use a MySQL-database (using a pipe) and you can search this database with phpMyAdmin. In [2] you can find a HowTo for this.

Web-based Loganalyzer

There several OpenSource tools for viewing and analysing logfiles, e. g.

On both sides you can find a good installationguide. Because of the fact, that both programms analyze the logfiles all the time, they need a lot of RAM

Downloads

syslog-ng.conf für den Server:

syslog-ng_server.conf

syslog-ng.conf für den Linux-Client:

syslog-ng_LinuxClient.conf

Registry für Windows-Clients:

snare.reg

Script zum Löschen alter Logfiles:

rm_logs.sh

Links

[1] http://www.intersectalliance.com/download.html?link=http://prdownloads.sourceforge.net/snare/SnareSetup-3.1.7-MultiArch.exe

[2] http://chaos.untouchable.net/index.php/HOWTO_setup_syslog-ng_to_log_to_mysql