Centralised Syslog Daemon

6 02 2010

Network traffic logs mostly prevail throughout the whole network, some of which are recorded as eventlogs individually. Important traffic logs can be viewed on network devices. To centralise computer traffic logs makes administrators’tasks a lot easier.

I implemented this system on CentOS5 with rsyslog and phplogcon. You can choose Syslog-ng for an alternative.

Prerequisite

1. Make sure you install all of these
yum install rsyslog rsyslog-mysql
yum install mysql-server
yum install httpd php php-mysql php-gd

2. Start mysql service
/etc/init.d/mysqld start
3. Create rsyslog database
mysql < /usr/share/doc/rsyslog-mysql-2.0.6/createDB.sql
4. Add a user for rsyslog. Execute these commands to mysql.
CREATE USER 'syslog'@'localhost' IDENTIFIED BY 'p$ss4w*rd';
GRANT ALL on Syslog.* TO 'syslog'@'localhost'
FLUSH PRIVILEGES;

*** You should change root password after installing mySQL. See this for more details.
5. Edit /etc/rsyslog.conf by adding these below on the top of this file.
$ModLoad ommysql
*.*     : ommysql:127.0.0.1,Syslog,syslog,p$ss4w*rd

***Please consider loopback IP carefully because I have this error message “Can’t connect to [local] MySQL server” while using localhost rather that loopback IP. The reason is rsyslog uses TCP/IP to connect to mySQL, but my localhost utilises Unix socket file. To see a different, run this command
mysqladmin version
mysqladmin -h 127.0.0.1 version

More details…
6. Create a static link file.
ln -s /usr/lib/rsyslog/ommysql.so /usr/lib/rsyslog/ommysql
7. Edit /etc/sysconfig/rsyslog by adding “-r” option.
SYSLOGD_OPTIONS="-m 0 -r"
8. Stop syslog and start rsyslog.
/etc/init.d/syslog stop
/etc/init.d/rsyslog start

9. If you are successful, /var/log/messages will not complain any error message.

Deploy phplogcon

1. Get phplogcon or
wget http://www.virtualxp.org/downloads/phplogcon-2.6.4.tar.gz
2. Unpack it and copy those in src directory to /var/www/html/rsyslog
mkdir /var/www/html/rsyslog
gunzip phplogcon-2.6.4.tar.gz
tar -xvf phplogcon-2.6.4.tar
cp -r phplogcon-2.6.4/src/* /var/www/html/rsyslog

3. Generate configuration file
cd /var/www/html/rsyslog
touch config.php
chown apache config.php

4. Open a web browser, go to http://localhost/rsyslog. It will escort you to the configuration process. Make sure you select source type to mySQL Native. A comprehensive guide is provided here.





SARG

22 01 2010

When you have Squid, it is unavoidable to view squid’s access.log.
It is not comfortable to use tail command and view realtime accesses which is hard to analyse. SARG(Squid Analysis Report Generator) is a good choice to tagle this. Before installing sarg, we need squid and apache running on the target system.

I used CentOS5.2, Squid 2.6 stable21 with this version of sarg

1. Install sarg


> wget http://dag.wieers.com/rpm/packages/sarg/sarg-2.2.3.1-1.el5.rf.i386.rpm
> rpm -ivh sarg-2.2.3.1-1.el5.rf.i386.rpm

2. Enable apache by

> /sbin/chkconfig --add httpd

> /sbin/chkconfig –level 2345 httpd on

** Start httpd manually by

> /usr/sbin/apachectl start

3. Edit sarg.conf

> nano /etc/sarg/sarg.conf

4. Remove comment in front of access_log and output_dir. Remind that we need to change its target directory related to the real location in our target system.

5. Our sarg will be ready to run, just type

> sarg -l /var/log/squid/access.log

You will see a html result inside output_dir and now our access log is a lot easier to be analysed.

6. To run sarg periodically, you need to make sure there is a sarg task in /etc/crontab.

Oh, I got this interesting linux certification link during my experiment.





NTLM Authentication in Squid

21 01 2010

I spent so much time configuring squid on Debian, but finally I changed to CentOS. It turned out well. OK, don’t waste more lines explain my feeling.

1.Make sure our CentOS is synchonised with DC.

2.These packages must be installed:

> rpm -qa [package-name]

> yum install krb5-workstation samba authconfig

3. Install Squid

>yum install squid

4. Edit /etc/squid/smb.conf with authconfig command

# authconfig --enableshadow --enablemd5 --passalgo=md5 --krb5kdc=sun.ambient.local \
--krb5realm=AMBIENT.LOCAL --smbservers=sun.ambient.local --smbworkgroup=AMBIENT \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=AMBIENT.LOCAL \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/false" --enablewinbindusedefaultdomain --disablewinbindoffline \
--winbindjoin=Administrator --disablewins --disablecache --enablelocauthorize --updateall

**My Domain: AMBIENT.LOCAL

**DC computername: SUN.AMBIENT.LOCAL

**CentOS Web proxy Server’s name: centos

5. Change security line in /etc/samba/smb.conf at global config

> security = ads

Moreover, refer to the right domain name inside /etc/krb5.conf.

*** You can test the configuration of smb.conf by

> testparm

6. Join centos to DC

>/usr/bin/net join -w AMBIENT -S sun.ambient.local -U Administrator

Then enter the password.

7. restart winbind service

> /etc/init.d/winbind restart

8. If it is successful, you will be able to traverse AD

> wbinfo -{u|g}

9. Set up and configure Squid. Please see the old post.

10. Edit NTLM authentication

auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-of=SUN+internetuser
auth_param ntlm children 5
auth_param ntlm keep_alive on

acl myNetwork 192.168.51.0/24 192.168.52.0/24

acl ntlm proxy_auth REQUIRED
http_access allow myNetwork ntlm

**internetuser is in a lowercase format.

11. restart squid

> /etc/init.d/squid restart

12. Now, all clients setting up proxy connection need to be logged in to DC before going online.

Quite long and a little bit complicated, but it is as clear as I can.

For more details, please see this





Time Synchronisation in CentOS

21 01 2010

3 Steps and then you will be synchronised.

1. Make sure you have ntpd

>rpm -qa ntp

If nothing returns, you need to install NTP first.

> yum install ntp

2. It is time to synchronise(ntpd must be disabled).

> ntpdate time.navy.mi.th

3. Turn on ntpd service

> /etc/init.d/ntpd restart





msconfig-like setting in CentOS

21 01 2010

To illustrate, let’s see the run level in CentOS by display inittab file.

> less /etc/inittab

Then, you’ll see details of running level.

Level

Level 0 Halt
Level 1 Single User Mide
Level 2 Multiuser Mode but no NFS–no networking
Level 3 Full Multiuser Mode
Level 4 Unused
Level 5 X11–Default
Level 6 Reboot

OK, now we can examing all the services in our CentOS by
> /sbin/chkconfig --list

If we want to enable a service to run after booting up the system, just

>/sbin/chkconfig squid --add

In some cases, you may want to run a scheduled task at a period of time, you can control it with crontab.

See CentOS crontab for more details.