=====RSyslog Server Configuration=====

It will be assumed that you have already upgraded your RSyslog via the [[user:ryoung12:portfolio:start#upgrading_to_rsyslog_v442-1|upgrade instructions]].

{{page>user:ryoung12:portfolio:mysql&nofooter&noeditbtn}} ===Installing the RSyslog-MySQL plugin===

You need to install the MySQL plugin module for RSyslog so that it can communicate with the MySQL server.

sudo aptitude -t lenny-backports install -y rsyslog-mysql

Once the RSyslog-MySQL package has been installed, you will be asked a series of questions to create the MySQL database that will be used by RSyslog to store the log files.

rsyslog-mysql must have a database installed and configured before it can be used. If you like, this can be handled with dbconfig-common. If you are an advanced database administrator and know that you want to perform this configuration manually, or if your database has already been installed and configured, you should refuse this option. Details /usr/share/doc/rsyslog-mysql. Otherwise, you should probably choose this option. Configure database for rsyslog-mysql with dbconfig-common?

I selected yes.

You will then be prompted to enter the password for the "root" user of MySQL as configured during our install of MySQL-server.

What is the password for the administrative account with which this package should create its MySQL database and user? Password of your database's administrative user:

Next you will be asked to provide, and then confirm a password for the user "rsyslog", which will be user RSyslog uses to connect to the MySQL database.

Please provide a password for rsyslog-mysql to register with the database server. If left blank, a random password will be generated for you. MySQL application password for

the RSyslog-MySQL plugin should now be installed and configured.

===Installing the RSyslog-GnuTLS plugin===

You need to install the GnuTLS plugin to configure the syslog server to accept incoming TLS connections from the syslog clients.

sudo aptitude -t lenny-backports install -y rsyslog-gnutls \\ ===Generate Machine Certificate===

On your CA, you need to generate a machine certificate for the RSyslog server machine.

On the Certificate Authority:

Create the private machine key.

sudo certtool --generate-privkey --outfile key.pem --bits 2048 \\

Generate the public machine certificate request. You will be asked to enter several pieces of pertinent information. You can just press enter to skip over any field.

sudo certtool --generate-request --load-privkey key.pem --outfile request.pem

I answered:

Country name (2 chars): US Organization name: Lab46 Organizational unit name: Student.Lab Locality name: Corning State or province name: NY Common name: vm30.student.lab UID: Enter a challenge password: \\

Once you have the request file for the public certificate, you can generate the public machine certificate. Again you will be asked to enter some information.

sudo certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

I entered:

Enter the certificate's serial number (decimal): Activation/Expiration time. The certificate will expire in (days): 1000 Extensions. Does the certificate belong to an authority? (Y/N): n Is this a TLS web client certificate? (Y/N): y Is this also a TLS web server certificate? (Y/N): y Enter the dnsName of the subject of the certificate: vm30.student.lab Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): Will the certificate be used for encryption (RSA ciphersuites)? (Y/N):

You will then be shown the resultant certificate file and asked if the information is correct. I entered 'y'.

Delete the request.pem file, rename the key.pem and cert.pem files, and change their access permissions.

sudo rm -f request.pem sudo mv key.pem machine-key.pem sudo mv cert.pem machine-cert.pem chown root:root machine-key.pem machine-cert.pem chmod 400 machine-key.pem machine-cert.pem \\

Now you need to copy ca.pem, key.pem, and cert.pem to the RSyslog server.

Back on the RSyslog Server:

You need to put ca.pem, key.pem, and cert.pem in the /rsyslog/protected/ directory. You may need to create these directories first.

sudo sh -c "mkdir /rsyslog && mkdir /rsyslog/protected && mv *.pem /rsyslog/protected" \\ ===RSyslog Configuration File===

Now we need to update our /etc/rsyslog.conf file.


$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener
$ModLoad ommysql # MySQL plugin
 
# make gtls driver the default
$DefaultNetstreamDriver gtls
 
# certificate files
$DefaultNetstreamDriverCAFile /rsyslog/protected/ca.pem
$DefaultNetstreamDriverCertFile /rsyslog/protected/machine-cert.pem
$DefaultNetstreamDriverKeyFile /rsyslog/protected/machine-key.pem

# server authentication settings
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.student.lab
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514 # start up listener at port 10514

# MySQL database login settings 
*.*     :ommysql:127.0.0.1,Syslog,rsyslog,mSySs4qPl

===Restart the RSyslog Service===

Now we need to restart the RSyslog service to apply the changes.

sudo /etc/init.d/rsyslog restart

That's it. Our syslog server is configured. Later we'll come back and install LogAnalyzer, a PHP-powered graphical front end for viewing and searching the log files stored in the syslog database.