pavement

Syslog-NG Installation

From FreeBSDwiki
Revision as of 07:18, 6 June 2008 by DrModiford (Talk | contribs)
Jump to: navigation, search

The Syslog-NG, or System Log Next-Generation, service is an updated version of the default Syslog service found on FreeBSD and other UNIX and Unix-like systems (a paid-for version exists for Microsoft operating systems). Enhancements include the ability to filter content, various methods of storing information including separate files-per-device or MySQL databases and, a key feature, the addition of TCP for transportation of events (typically UDP is used on basic Syslog services).

The source code for Syslog-NG was used to create a commercial product maintained by | Balabit under the name Syslog-NG Premium Edition. This is a paid-for-support version of the free Syslog-NG code and revenue from it is used to fund development of the free edition.

Contents

Purpose

For further information on the default Syslog service installed on FreeBSD see the main Syslog article. The following is an explanation of the purpose of Syslog-NG specifically.

The purpose of installing and utilising Syslog-NG becomes apparent when you begin to monitor Syslog events from multiple servers (and other network-attached Syslog-capable devices) and require a centralised method in which to do so. Furthermore the ability to easily track, view and manage Syslog events are important. The enhancements made to Syslog-NG permit this functionality.

Examples

There are a number of reasons why upgrading to Syslog-NG is beneficial:

  • a data-centre that houses numerous network devices all capable of sending Syslog event notifications;
  • a medium-to-large organisation that has a wide-spread presence in different locations;
  • fault detection of unmanned systems;
  • other Syslog-capable devices that may not have simplified means to view events.

They all run along similar lines and many medium and larger organisations may benefit from utilising Syslog-NG somewhere on the corporate network.

Installation

The following is a guide to installing (or upgrading to) Syslog-NG of FreeBSD. The particular release of FreeBSD should not matter too much. For reference the following was undertaken by the author on a HP ML570 G2 server using FreeBSD 7.0.

The installation will incorporate a web-based utility called PHP-Syslog-NG, a set of PHP-based scripts for use within Apache to enable browser access to the Syslog-NG stored events. This further requires MySQL to be installed and configured as the Syslog event store.

Pre-requisites

For guidance on installing FreeBSD review this article. It is highly recommended, if using MySQL, to allocate either a larger than normal '/var' volume or create a separate volume to store the MySQL database in - for example a secondary drive allocated as '/svr'.

This installation guide will require the following ports to be installed:

  • Apache - this is only required if utilising the PHP-Syslog-NG web-based utility;
  • MySQL - this is optional for normal Syslog-NG use but required for PHP-Syslog-NG;
  • PHP - this is not required for normal Syslog-NG use but required for PHP-Syslog-NG;
  • Syslog-NG - the updated Syslog service.

Notes

For reference the author selected Apache 2.2, MySQL 5.x and PHP 5.x and assigned a second (RAID5) drive entirely to an '/svr' volume (all regular FreeBSD volumes were allocated on the first (RAID1) drive).

If utilising the PHP-Syslog-NG web-based utility ensure that the MySQL dependency is selected under the Apache and PHP ports options page. The options page is displayed when running make from the ports system.

Configuration

If utilising the MySQL functionality of Syslog-NG, and if a large separate volume has been used, this is the time to move the default MySQL database store location. This is done using the following commands:

# /usr/local/etc/rc.d/mysql-server stop
# cd /var/db
# mv mysql /svr
# ln -s /svr/mysql mysql

This has the effect of moving the physical 'mysql' database store from the default '/var' volume to the larger '/svr' volume and then creates a symbolic link to the original location. This 'trick' allows MySQL to function without needing to re-configure all of its data store locations individually. For more information on the concepts of symbolic links review this article.

If the MySQL directory does not exist first enable and start MySQL which will create it on initial start-up.

As with all services that run on FreeBSD they must first be enabled within the rc.conf file. Add the following lines as appropriate:

mysql_enable="YES"
apache_enable="YES"

Then

Personal tools