Centeralized Syslog Database

All of the VMs will use rsyslog to send their log files to a central log database powered by MySQL that can then be accessed via the LogAnalyzer web based graphical front end to facilitate easy viewing and filtering of events. In order to ensure that the system logs are securely transmitted from the local machine to the central log server, we will be using the native TLS encryption that is built into versions 3.19.0 and higher of rsyslog. One caveat is that the main source tree for Debian Lenny uses v3.18.6 of rsyslog. However, the backports source tree features v4.4.2-1 of rsyslog.

Upgrading to rsyslog v4.4.2-1

<html>First, before we can even install the v4.4.2-1 package from the backports tree, we need to enable backports in our sources list. We can do this by:</html>

sudo vim /etc/apt/sources.list

# /etc/apt/sources.list
 
deb     http://mirror/debian    lenny           main contrib non-free
deb-src http://mirror/debian    lenny           main contrib non-free
deb     http://mirror/security  lenny/updates   main contrib non-free
deb-src http://mirror/security  lenny/updates   main contrib non-free
deb     http://mirror/backports lenny-backports main contrib non-free
deb-src http://mirror/backports lenny-backports main contrib non-free

<html>Now we need to update our packages list.</html>

sudo aptitude update

<html>You will most likely get a warning about not having the gpg public key for the backports tree.</html>

W: GPG error: http://mirror lenny-backports Release: The following signatures
couldn't be verified because the public key is not available: NO_PUBKEY EA8E8B2116BA136C

<html>To install the gpg key for the backports tree:</html>

sudo aptitude install debian-backports-keyring

<html>While installing the backports keyring, you will be asked it you want to proceed with the install. Answer Yes</html>

Do you want to ignore this warning and proceed anyway?
To continue, enter "Yes"; to abort, enter "No": Yes

<html>Now with the gpg key in place for backports, update again, and perform any necessary upgrades.</html>

sudo sh -c "aptitude update && aptitude safe-upgrade -y"

<html>With our package sources up to date, we need to install the version of rsyslog from backports.</html>

sudo aptitude -t lenny-backports install rsyslog

<html>Rsyslog should now be updated to a version that supports native TLS encription. Note: This step needs to be done on all of the machines that will be using rsyslog.</html>

Creating a Certificate Authority

<html>In order to make use of the TLS encryption features we just enabled by upgrading to a newer version of rsyslog, we need to create SSL certificates for the syslog server, and for each of the syslog client machines that will be communicating with the server. Rather than going out and purchasing SSL certificates from a trusted Certificate Authority (CA), we will create our own CA to generate the certificates for all of the machines. Being that a Certificate Authority is really just a machine that uses it's own self-signed, private certificate, to generate public and private certificates for other machines. This may sound bizarre, but the root of trust has to begin somewhere, and that is just what the self-signed certificate provides when the CA's public certificate is distributed to the other machines; so that they can verify themselves against the CA. In order to generate this self-signed certificate we need to use the certtool utility that is part of the GnuTLS tools package – which is not installed by default.

To install GnuTLS:</html>

sudo aptitude install -y gnutls-bin

<html>Now we need to generate our CA's private key.</html>

sudo certtool --generate-privkey --outfile ca-key.pem --bits 2048

<html>Note: It will take a little while to generate the private key file, as certtool utilizes random input from the machine currently running processes. During this time, it is typically recommended to make the machine do some work to increase the randomness of the input; getting directory listings of random directories with ls, or using cat to display the contents of random files ought to be adequate. Now we need to generate our CA's public key.</html>

sudo certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem

<html>The creation of the self-signed certificate will ask for several pieces of pertinent information. Fields can be left blank by simply pressing enter. I used the following:</html>

Country name (2 chars): US
Organization name: Lab46
Organizational unit name: Student.Lab
Locality name: Corning
State or province name: NY
Common name: Student.Lab
UID:
E-mail:
Enter the certificate's serial number(decimal):

Activation/Expiration time.
The certificate will expire in (days): 3650

Extensions.
Does the certificate belong to an authority? (Y/N): y
Path length constraint (decimal, -1 for no constraint): 
Is this a TLS web client certificate? (Y/N): 
Is this also a TLS web server certificate? (Y/N): 
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign other certificates? (Y/N): y
Will the certificate be used to sign CRLs? (Y/N):
Will the certificate be used to sign code? (Y/N):
Will the certificate be used to sign OCSP requests? (Y/N):
Will the certificate be used for time stamping? (Y/N):
Enter the URI of the CRL distribution point:

<html>You will then be shown the resultant certificate file and asked if the information is correct. I entered 'y'. The file permissions need to be changed for our private key file so that only root can read it, and everybody else has zero access to the file.</html>

sudo chown root:root ca-key.pem
sudo chmod 400 ca-key.pem

<html>If anyone gets their hands on this file, the security of the CA and any other machine using certificates generated by the CA has been compromised. With both private and public certificates having been generated, our CA is ready to create certificates for the other machines on our network.</html>

RSyslog Server Configuration

<html>It will be assumed that you have already upgraded your RSyslog via the </html> upgrade instructions<html>. </html>

Installing MySQL

<html>Install the MySQL Server.</html>

sudo aptitude install mysql-server

<html>During installation, you will be asked to create a password for the administrative “root” user for the MySQL server.</html>

Installing the RSyslog-MySQL plugin

<html>You need to install the MySQL plugin module for RSyslog so that it can communicate with the MySQL server.</html>

sudo aptitude -t lenny-backports install -y rsyslog-mysql

<html>Once the RSyslog-MySQL package has been installed, you will be asked a series of questions to create the MySQL database that will be used by RSyslog to store the log files.</html>

rsyslog-mysql must have a database installed and configured before it can be used.
If you like, this can be handled with dbconfig-common.

If you are an advanced database administrator and know that you want to perform this
configuration manually, or if your database has already been installed and configured,
you should refuse this option. Details /usr/share/doc/rsyslog-mysql.

Otherwise, you should probably choose this option.

Configure database for rsyslog-mysql with dbconfig-common?
<Yes>   <No>

<html>I selected yes. You will then be prompted to enter the password for the “root” user of MySQL as configured during our install of MySQL-server.</html>

What is the password for the administrative account with which this package should
create its MySQL database and user?

Password of your database's administrative user:

<html>Next you will be asked to provide, and then confirm a password for the user “rsyslog”, which will be user RSyslog uses to connect to the MySQL database.</html>

Please provide a password for rsyslog-mysql to register with the database server.
If left blank, a random password will be generated for you.

MySQL application password for

<html>the RSyslog-MySQL plugin should now be installed and configured.</html>

Installing the RSyslog-GnuTLS plugin

<html>You need to install the GnuTLS plugin to configure the syslog server to accept incoming TLS connections from the syslog clients.</html>

sudo aptitude -t lenny-backports install -y rsyslog-gnutls

Generate Machine Certificate

<html>On your CA, you need to generate a machine certificate for the RSyslog server machine. On the Certificate Authority: Create the private machine key.</html>

sudo certtool --generate-privkey --outfile key.pem --bits 2048

<html>Generate the public machine certificate request. You will be asked to enter several pieces of pertinent information. You can just press enter to skip over any field.</html>

sudo certtool --generate-request --load-privkey key.pem --outfile request.pem

<html>I answered:</html>

Country name (2 chars): US
Organization name: Lab46
Organizational unit name: Student.Lab
Locality name: Corning
State or province name: NY
Common name: vm30.student.lab
UID: 
Enter a challenge password:

<html>Once you have the request file for the public certificate, you can generate the public machine certificate. Again you will be asked to enter some information.</html>

sudo certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

<html>I entered:</html>

Enter the certificate's serial number (decimal): 

Activation/Expiration time.
The certificate will expire in (days): 1000

Extensions.
Does the certificate belong to an authority? (Y/N): n
Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (Y/N): y
Enter the dnsName of the subject of the certificate: vm30.student.lab
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/N): 
Will the certificate be used for encryption (RSA ciphersuites)? (Y/N):

<html> You will then be shown the resultant certificate file and asked if the information is correct. I entered 'y'. Delete the request.pem file, rename the key.pem and cert.pem files, and change their access permissions.</html>

sudo rm -f request.pem
sudo mv key.pem machine-key.pem
sudo mv cert.pem machine-cert.pem
chown root:root machine-key.pem machine-cert.pem
chmod 400 machine-key.pem machine-cert.pem

<html>Now you need to copy ca.pem, key.pem, and cert.pem to the RSyslog server. Back on the RSyslog Server: You need to put ca.pem, key.pem, and cert.pem in the /rsyslog/protected/ directory. You may need to create these directories first. </html>

sudo sh -c "mkdir /rsyslog && mkdir /rsyslog/protected && mv *.pem /rsyslog/protected"

RSyslog Configuration File

<html>Now we need to update our /etc/rsyslog.conf file.</html>

$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener
$ModLoad ommysql # MySQL plugin
 
# make gtls driver the default
$DefaultNetstreamDriver gtls
 
# certificate files
$DefaultNetstreamDriverCAFile /rsyslog/protected/ca.pem
$DefaultNetstreamDriverCertFile /rsyslog/protected/machine-cert.pem
$DefaultNetstreamDriverKeyFile /rsyslog/protected/machine-key.pem
 
# server authentication settings
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.student.lab
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514 # start up listener at port 10514
 
# MySQL database login settings 
*.*     :ommysql:127.0.0.1,Syslog,rsyslog,mSySs4qPl

Restart the RSyslog Service

<html>Now we need to restart the RSyslog service to apply the changes.</html>

sudo /etc/init.d/rsyslog restart

<html>That's it. Our syslog server is configured. Later we'll come back and install LogAnalyzer, a PHP-powered graphical front end for viewing and searching the log files stored in the syslog database.</html>

Lab46 Wiki

Table of Contents