SDB:Syslog server

From openSUSE

Version: 10.0 - Perpetual Relevance above V10.0 of OpenSuse or SLED/SLES V10 and above.

Notes

This procedure is starkly written to use openSuse GUI interface to establish its goals. The author could have shortened the procedure considerably using command line entries, however openSuse has been created as a GUI interface for Linux and not to use this interface is in complete conflict with the products design and purpose

The author has NO Financial or Otherwise Gain in recommending this software. It is only my personal recommendation from trying a variety of different software Packages

Objective

Simplicity - Based on a KDE Desktop.

Capture and display of system logs generated by Routers/IDS/IDP devices sent to a designated IP as destination, which will capture Facility's Local 0-7

Limitations: Severity can, at time of writing, be determined by filtering the display vehicle Ksystemlog. Open Yast>Software Management>Search>'ksystemlog'. Search for "monitor" or "Ksystemlog" If you are not running a KDE desktop - I am sorry I am not aware of there being any real-time system log monitoring facilities and 'KsystemLog' has KDE dependencies.

Situation

Many of us have either routers and/or Intrusion Detection Devices that produce Logs that often need to be monitored on a real-time basis.

Many of us will be happy to display the Syslog data via using 'Ksystemlog' which you can download and install from extra application located on the Suse servers. The version of 'Ksystemlog' in KDE3 is totally different to Ksystemlog in KDE4 as the application is dependant of KDE library files to function.

Procedure

Note***If you do NOT intend to use Ksystemlog and use any other Logging Software which comes ready to listen to UDP514 - do NOT modify the file syslog-ng on that PC as directed below. You need only to modify the Syslog Server's syslog-ng file if you use 'KsystemLog" which has no innate ability to listed for UDP514 events, however you will need to open the Firewall in all cases, for UDP514.

Modify ALL sending devices to send their syslog traffic to the IP chosen to Monitor and Log the messages.

The PC which you have chosen to receive the syslog data must have a static IP. If you use DHCP you can take advantage in setting up the Network Interface to use DHCP+Zero Config. This will ensure that DHCP will map the same IP to your syslog Server. Alternatively you can just define a static IP.

1. By default the sending device will send the log to a designated IP listening to UDP 514. In order to allow the receiving IP to display the data stream will need to change the firewall. Add to the "allowed services" by Opening Yast>Security and Users>Firewall>Allowed Services>Advanced> insert on the UDP line 514. NB DO NOT open TCP 514 - This will open the receiving PC to remote access which will fundamentally undermine its total security. 3. Open your favorite text editor in root mode. This can be done via "File Manager - Super user mode" OR directly opening "kate" in root mode. 4. Locate the directory /etc/syslog-ng. Right click and open the file syslog-ng with "Kate" 5. Towards the beginning just after the 'acpid messages' of the file insert the following.

1. UN-NUMBER and insert line 3 to listen for syslog formatted information sent by router or Intrusion Detection Systems to this IP for real time monitoring.
2. Note as the destination is not specified the destination log will be the system log file "messages"
3. source src {internal();udp(ip("0.0.0.0") port(514));};

Save and close the file.

6. Open a X-term and as root and use the commands "rcsyslog stop" "rcsyslog start" OR "rcsyslog restart" - Note response should be a green "done" If you receive a red error - error unable to parse line nnn - Open the file with "Kate" and examine the line number indicated in nnnn for syntax. If you are using another syslog monitor or analyzers this procedure is NOT for you. UPD514 can only be captured once by this procedure. If you use an analyzer such as Eventgnosis, mentioned above on the same PC, the syslog-ng file must NOT be changed!

Note well: If you are using OpenSuse prior to 10.2 - READ VERY CAREFULLY THE INSTRUCTIONS ON HOW TO MAKE YOUR CHANGE PERMANENT! If the syslog-ng.conf file begins with #DO NOT EDIT THIS FILE... you are running a version of OpenSuse prior to 10.2 and you will need and understand the OpenSuse documented procedure on editing this file on a permanent basis.

7. The above changes to syslog-ng will force the chosen PC IP to listen for any traffic sent to its IP on UDP514 and write this to the file /var/log/messages. Open KsystemLog from the menu and by default the System Log should be displayed however this may not be the case. Manually configure ksystemlog to display /var/log/messages.

Links

If you find that "KsystemLog" cannot fulfil your requirements for the monitoring of syslog information, purpose syslog software is available at the following link. Eventgnosis have a free version of their Event Centre Software which will fulfil most small users requirements for purpose built system logging, triger actions and display and file management.

The Event Centre software DOES NOT require any modifications to the syslog.ng file and will fulfil most of SystemLog Management.

Event Centre is more than capable of complex monitoring of a variety of System logs, not restricted to UPD514 capture on the host PC. Event Centre can manage, display, set user actions, set user trigers and present user reports for almost all text and UPD based syslog activity on its hosted PC and other PC's text logs around the Network. After Installation of Event Centre you should make contact with support to automate a script to execute the Event Centre software after system boot.

http://eventgnosis.com/syslog.html

http://en.opensuse.org/SDB:Enterprise_Syslog_Server