SDB:Syslog server

From openSUSE

Version: 8.0 - Valid for Suse Linux 10.0 and above

Objective

Simplicity - Based on a KDE Desktop.

Capture and display of system logs generated by Routers/IDS/IDP devices sent to a designated IP as destination, which will capture Facility's Local0-7 Limitations: Severity can, at time of writing, be determined by filtering the display vehicle Ksystemlog. Open Yast>Software Management>Search>'ksystemlog'. Search for "monitor" and choosing any other application OpenSuse Monitor tools and consider their value. If you are not running a KDE desktop - I am sorry I am not aware of there being any real-time system log monitoring facilities and 'KsystemLog' has KDE dependencies. I have had various emails with the author of Ksystemlog and we have discussed further enhancements, and additional useful functionality of the application. We will all see in future versions, enhancements to the application.

Situation

Many of us have either routers and/or Intrusion Detection Devices that produce Logs that often need to be monitored on a real-time basis.

If you need complex Event logging/real-time display/reporting this software that fulfills requirements for Mission Critical Event Management,including a simple 1 only .RPM install file, go to the following where a Free and License versions is available, and you should contact support@eventgnosis.com for Suse Linux specific execution and auto start scripts. This software is perfectly stable on OpenSuse X_64, however you will need to initiate the start script in a 32bit X-Term

http://eventgnosis.com/syslog.html

This software comes in a free version plus 2 other licensed version. This software runs perfectly on Suse Linux .RPM file format and Windows platforms and is suggested where data logging and analysis is critical to your business. This software fulfills the requirement for Mission Critical Event Management from a large number of syslog messages. This software fulfills the requirement for Mission Critical Event Management from a large number of sources. If you do NOT intend to use Ksystemlog and use any other Eventlog system which comes ready to listen to UDP514 - do NOT modify the file syslog-ng on that PC as directed below.

If you also want to display or monitor the Linux System Log from every PC in your network you should also view http://en.opensuse.org/SDB:Enterprise_Syslog_Server

Note well: If you want to both display Router/IDS/System Logs on a single PC AND you are running management software you will not be able to view the Data on KsystemLog. ALL data regardless of source sent to the default port of UDP 514 will be captured by any management software. There IS a procedure yet to be published by that will enable KsystemLog to display the data as well as operate any Management Software

Procedure

This article provides a possible solution to be able to view logs in real-time; logs which can generate up to 10,000 message lines per hour and are updates by the millisecond. This procedure is starkly written to use openSuse GUI interface to establish its goals. The author could have shortened the procedure considerably using command line entries, however openSuse has been created as a GUI interface for Linux and not to use this interface is in complete conflict with the products design and purpose

Open Suse Linux Software Required

The KDE log viewer KsystemLog is required to view the log and the version currently available in 10.2 is a little unstable in particular situation, however the bug and further enhancements have been requested prior to this date. This instability is confined to any global changes made to the application, however once a successful session has been started seems very reliable. After code corrections have been made in the log viewer version 0.3.2-47 the log viewer could be relied on mission critical standards. No testing has been made for adding KsystemLog to a Gnome Desktop - and feedback in this respect would be grateful.

There is a complete re-write of KsystemLog available from http://ksystemlog.forum-software.org/ however this version is ONLY suitable with KDE4 being shipped with openSuse 11.0 being developed now. There is a far better version of KsystemLog available for openSuse 10.3, however you will need to download this version 0.3.2 from http://ksystemlog.forum-software.org/archives/src/ and compile your own .rpm file.

Procedure

Note***If you do NOT intend to use Ksystemlog and use any other Eventgnosis which comes ready to listen to UDP514 - do NOT modify the file syslog-ng on that PC as directed below. You need only to modify the Syslog Server's syslog-ng file if you use 'KsystemLog" which has no innate ability to listed for UDP514 events, however you will need to open the Firewall in all cases, for UDP514.

1. By default the sending device will send the log to a designated IP listening to UDP 514. In order to allow the receiving IP to display the data stream will need to change the firewall. Add to the "allowed services" by Opening Yast>Security and Users>Firewall>Allowed Services>Advanced> insert on the UDP line 514. NB DO NOT open TCP 514 - This will open the receiving PC to remote access which will fundamentally undermine its total security. 3. Open your favorite text editor in root mode. This can be done via "File Manager - Super user mode" OR directly opening "kate" in root mode. 4. Locate the directory /etc/syslog-ng. Right click and open the file syslog-ng with "Kate" 5. Towards the beginning just after the 'acpid messages' of the file insert the following.

1. UN-NUMBER and insert line 3 to listen for syslog formatted information sent by router or Intrusion Detection Systems to this IP for real time monitoring.
2. Note as the destination is not specified the destination log will be the system log file "messages"
3. source src {internal();udp(ip("0.0.0.0") port(514));};

Save and close the file.

6. Open a X-term and as root and use the commands "rcsyslog stop" "rcsyslog start" OR "rcsyslog restart" - Note response should be a green "done" If you receive a red error - error unable to parse line nnn - Open the file with "Kate" and examine the line number indicated in nnnn for syntax. If you are using another syslog monitor or analyzers this procedure is NOT for you. UPD514 can only be captured once by this procedure. If you use an analyzer such as Eventgnosis, mentioned above on the same PC, the syslog-ng file must NOT be changed!

It IS possible to display UDP514 messages AND run a syslog analyzer on the same PC, however that procedure is outside the scope of this document. It involves changing the destination port of one of the monitoring applications

Note well: If you are using OpenSuse prior to 10.2 - READ VERY CAREFULLY THE INSTRUCTIONS ON HOW TO MAKE YOUR CHANGE PERMANENT! If the syslog-ng.conf file begins with #DO NOT EDIT THIS FILE... you are running a version of OpenSuse prior to 10.2 and you will need and understand the OpenSuse documented procedure.

7. Open KsystemLog from the menu. By default the System Log should be displayed. You can edit the settings and remove "/var/log/NetworkManager" if you wish -.

Links

http://eventgnosis.com/syslog.html

http://en.opensuse.org/SDB:Enterprise_Syslog_Server