pavement

Syslog-NG Installation

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (Moved Apache configuration (wrong section))
m (Apache configuration)
Line 62: Line 62:
  
 
The 'syslog_pipe' entry is a script that is required if using the MySQL functionality and is therefore not part of the other 'syslog' entries.
 
The 'syslog_pipe' entry is a script that is required if using the MySQL functionality and is therefore not part of the other 'syslog' entries.
 +
 +
==== MySQL ====
  
 
If utilising a larger, separate volume for the MySQL database store the following should be done:
 
If utilising a larger, separate volume for the MySQL database store the following should be done:
Line 77: Line 79:
  
 
This will create the directory as part of the initial loading phase.
 
This will create the directory as part of the initial loading phase.
 +
 +
==== Apache ====
 +
 +
The following configuration changes need to be made to Apache.  In addition the installation of PHP does not automatically integrate itself into Apache.  This is done by manually editing the Apache configuration files.  Under Apache 2.2 this has changed from the way Apache 1.3 used to do it.
 +
 +
Under '/usr/loca/etc/apache22/' open 'httpd.conf' for editing and make the following changes highlighted in '''bold type''':
 +
 +
Add the PHP Apache module:
 +
LoadModule userdir_module libexec/apache22/mod_userdir.so
 +
LoadModule alias_module libexec/apache22/mod_alias.so
 +
LoadModule rewrite_module libexec/apache22/mod_rewrite.so
 +
'''LoadModule php5_module        libexec/apache22/libphp5.so'''
 +
 +
Also add the default file name for PHP files:
 +
#
 +
# DirectoryIndex: sets the file that Apache will serve if a directory
 +
# is requested.
 +
#
 +
<IfModule dir_module>
 +
    DirectoryIndex index.html '''index.php'''
 +
</IfModule>
 +
 +
Near the end of the file add:
 +
'''NameVirtualHost *:80'''
 +
 +
'''Include etc/apache22/Includes/*.conf'''
 +
 +
Create a configuration file for what will become the PHP-Syslog-NG web interface called 'syslogweb.conf' in the '/usr/local/etc/apache22/Includes/' directory (note the capitalised letter ''''i'''' in 'Includes') containing the following:
 +
 +
<VirtualHost *:80>
 +
    ServerName syslog.example.com
 +
    ServerAlias syslog
 +
    ServerAdmin YourAdminName
 +
 +
    DocumentRoot /svr/php-syslog-ng/html
 +
    <Directory />
 +
        Options FollowSymLinks
 +
        AllowOverride All
 +
    </Directory>
 +
    <Directory /svr/php-syslog-ng/html>
 +
        # pcw No directory listings
 +
        # Options Indexes FollowSymLinks MultiViews
 +
        Options -Indexes FollowSymLinks MultiViews
 +
        AllowOverride All
 +
        Order allow,deny
 +
        allow from all
 +
    </Directory>
 +
 +
    ErrorLog /var/log/php-syslog-ng-error.log
 +
 +
    # Possible values include: debug, info, notice, warn, error, crit,
 +
    # alert, emerg.
 +
    LogLevel warn
 +
 +
    CustomLog /var/log/php-syslog-ng-access.log combined
 +
    ServerSignature On
 +
 +
</VirtualHost>
 +
 +
Taking note to change the various 'ServerXxx' entries as appropriate for your network.
 +
 +
Start (or restart) Apache to make the above changes take effect:
 +
 +
# apache start    (or restart)
 +
 +
Ensuring no error messages appear.
 +
 +
==== PHP-Syslog-NG ====

Revision as of 08:16, 6 June 2008

The Syslog-NG, or System Log Next-Generation, service is an updated version of the default Syslog service found on FreeBSD and other UNIX and Unix-like systems (a paid-for version exists for Microsoft operating systems). Enhancements include the ability to filter content, various methods of storing information including separate files-per-device or MySQL databases and, a key feature, the addition of TCP for transportation of events (typically UDP is used on basic Syslog services).

The source code for Syslog-NG was used to create a commercial product maintained by | Balabit under the name Syslog-NG Premium Edition. This is a paid-for-support version of the free Syslog-NG code and revenue from it is used to fund development of the free edition.

Contents

Purpose

For further information on the default Syslog service installed on FreeBSD see the main Syslog article. The following is an explanation of the purpose of Syslog-NG specifically.

The purpose of installing and utilising Syslog-NG becomes apparent when you begin to monitor Syslog events from multiple servers (and other network-attached Syslog-capable devices) and require a centralised method in which to do so. Furthermore the ability to easily track, view and manage Syslog events are important. The enhancements made to Syslog-NG permit this functionality.

Examples

There are a number of reasons why upgrading to Syslog-NG is beneficial:

  • a data-centre that houses numerous network devices all capable of sending Syslog event notifications;
  • a medium-to-large organisation that has a wide-spread presence in different locations;
  • fault detection of unmanned systems;
  • other Syslog-capable devices that may not have simplified means to view events.

They all run along similar lines and many medium and larger organisations may benefit from utilising Syslog-NG somewhere on the corporate network.

Installation

The following is a guide to installing (or upgrading to) Syslog-NG on FreeBSD using the MySQL functionality. It also covers the installation and configuration of PHP-Syslog-NG. This is a web-based utility, essentially a set of PHP-based scripts for use within Apache to enable browser access to the Syslog-NG stored events.

Pre-requisites

For reference the following was undertaken by the author on a HP ML570 G2 server using FreeBSD 7.0. The particular release of FreeBSD should not matter too much. In addition the author selected Apache 2.2, MySQL 5.x and PHP 5.x and assigned a second (RAID5) drive entirely to an '/svr' volume (all regular FreeBSD volumes were allocated on the first (RAID1) drive).

For guidance on installing FreeBSD review this article. It is highly recommended, if using MySQL, to allocate either a larger than normal '/var' volume or create a separate volume to store the MySQL database in - for example a secondary drive allocated as '/svr'.

This installation guide will require the following ports to be installed:

  • Apache - a full-featured web server, but any PHP-compatible web service should be acceptable;
  • MySQL-Server - a full-featured database server;
  • PHP - a popular scripting language used of web servers;
  • PHP-Extensions - a set of extended features for the main PHP language;
  • Syslog-NG - the updated Syslog service.

Ensure that the MySQL and Apache module dependencies are selected under the PHP port options page. The options page is displayed when running make from the ports system. This will install the 'mysql-client' automatically (not to be mistaken with the 'mysql-server' port).

It is recommended that the NTP service is configured to ensure accurate time is maintained against logged events.

The 'PHP-Syslog-NG' web-based utility is not available from the ports system however it can be downloaded from the Google Code website. Extract this into a new folder called '/svr/php-syslog-ng', for example:

# cd /svr
# fetch http://php-syslog-ng.googlecode.com/files/php-syslog-ng-<version>.tgz
# tar zxvf php-syslog-ng-<version>.tgz
# rm php-syslog-ng-<version>.tgz

Configuration

As with all services that run on FreeBSD they must first be enabled within the rc.conf file. Add the following lines as appropriate:

syslogd_enable="NO"
syslog_ng_enable="YES"
syslogd_program="/usr/local/sbin/syslog-ng"
syslogd_flags=""
mysql_enable="YES"
apache22_enable="YES"
syslog_pipe_enable="YES"

The 'syslog_pipe' entry is a script that is required if using the MySQL functionality and is therefore not part of the other 'syslog' entries.

MySQL

If utilising a larger, separate volume for the MySQL database store the following should be done:

# /usr/local/etc/rc.d/mysql-server stop
# cd /var/db
# mv mysql /svr
# ln -s /svr/mysql mysql

This has the effect of moving the physical 'mysql' database store from the default '/var' volume to the larger '/svr' volume and then creates a symbolic link to the original location. This 'trick' allows MySQL to function without needing to re-configure all of its data store locations individually. For more information on the concepts of symbolic links review this article.

If the MySQL directory does not exist first enable it (see above 'rc.conf' entries) and start MySQL as follows:

# /usr/local/etc/rc.d/mysql-server start

This will create the directory as part of the initial loading phase.

Apache

The following configuration changes need to be made to Apache. In addition the installation of PHP does not automatically integrate itself into Apache. This is done by manually editing the Apache configuration files. Under Apache 2.2 this has changed from the way Apache 1.3 used to do it.

Under '/usr/loca/etc/apache22/' open 'httpd.conf' for editing and make the following changes highlighted in bold type:

Add the PHP Apache module:

LoadModule userdir_module libexec/apache22/mod_userdir.so
LoadModule alias_module libexec/apache22/mod_alias.so
LoadModule rewrite_module libexec/apache22/mod_rewrite.so
LoadModule php5_module        libexec/apache22/libphp5.so

Also add the default file name for PHP files:

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.html index.php
</IfModule>

Near the end of the file add:

NameVirtualHost *:80

Include etc/apache22/Includes/*.conf

Create a configuration file for what will become the PHP-Syslog-NG web interface called 'syslogweb.conf' in the '/usr/local/etc/apache22/Includes/' directory (note the capitalised letter 'i' in 'Includes') containing the following:

<VirtualHost *:80>
   ServerName syslog.example.com
   ServerAlias syslog
   ServerAdmin YourAdminName 
   DocumentRoot /svr/php-syslog-ng/html
   <Directory />
       Options FollowSymLinks
       AllowOverride All
   </Directory>
   <Directory /svr/php-syslog-ng/html>
       # pcw No directory listings
       # Options Indexes FollowSymLinks MultiViews
       Options -Indexes FollowSymLinks MultiViews
       AllowOverride All
       Order allow,deny
       allow from all
   </Directory>
   ErrorLog /var/log/php-syslog-ng-error.log
   # Possible values include: debug, info, notice, warn, error, crit,
   # alert, emerg.
   LogLevel warn
   CustomLog /var/log/php-syslog-ng-access.log combined
   ServerSignature On
</VirtualHost>

Taking note to change the various 'ServerXxx' entries as appropriate for your network.

Start (or restart) Apache to make the above changes take effect:

# apache start     (or restart)

Ensuring no error messages appear.

PHP-Syslog-NG

Personal tools