Close

howto

Setting up lggr requires some surrounding tools:

  • syslog-ng (with syslog-ng-mod-sql extension module)
  • stunnel
  • mysql (MariaDB 10.1 used here)
  • apache
  • php 7.x (7.0 used yet)
  • composer (for initial setup)

And there is a difference betweeen setting up the central lggr server and configuring the multiple clients logging to it.

Server

mysql

First create a database logger and run the db.sql script from the doc/db.sql source into it. It will create one major table, one server table, and four views. After that you have to create at least two mysql users with different rights: One for writing into the table and one for reading out of it. An example script doc/user.sql is included.

# create the following three mysql users:

# used by syslog-ng for inserting new data, referenced in /etc/syslog-ng/conf.d/08lggr.conf
GRANT INSERT,SELECT,UPDATE ON logger.* TO logger@localhost IDENTIFIED BY ‘xxx’;

# used by the web gui for normal viewing, referenced in inc/config_class.php
GRANT SELECT ON logger.* TO logviewer@localhost IDENTIFIED BY ‘xxx’;

# used by clean up cron job and for archiving, referenced in inc/adminconfig_class.php
GRANT SELECT,UPDATE,DELETE ON logger.* TO loggeradmin@localhost IDENTIFIED BY ‘xxx’;
GRANT SELECT,INSERT ON TABLE logger.servers TO loggeradmin@localhost;

# activate changes
FLUSH PRIVILEGES;

Be sure to use your own strong passwords.

Change the values in the inc/config_class.php and inc/adminconfig_class.php files.

syslog-ng

Create a file /etc/syslog-ng/conf.d/08lggr.conf containing:

options {
keep_hostnames(yes);
};

source s_net {
tcp( ip(“127.0.0.1”) port(514) max-connections(20) log-iw-size(2000) );
};

destination d_newmysql {
sql(
flags(dont-create-tables,explicit-commits)
session-statements(“SET NAMES ‘utf8′”)
flush_lines(10)
flush_timeout(5000)
local_time_zone(“Europe/Berlin”)
type(mysql)
username(“logger”)
password(“xxx”)
database(“logger”)
host(“localhost”)
table(“newlogs”)
columns(“date”, “facility”, “level”, “host”, “program”, “pid”, “message”)
values(“${R_YEAR}-${R_MONTH}-${R_DAY} ${R_HOUR}:${R_MIN}:${R_SEC}”, “$FACILITY”, “$LEVEL”, “$HOST”, “$PROGRAM”, “$PID”, “$MSGONLY”)
indexes()
);
};

log {
source(s_net); source(s_src); filter(f_no_debug); destination(d_newmysql);
};

With that configuration syslog-ng logs its own local messages and the ones it receives via TCP from the net. As you can see we don’t just accept any external tcp connection but use some stunnel construct to only allow athenticated clients. In case of a plain internal network you might skip that step and listen on IP 0.0.0.0 to get direct access.

Debian users might need some additional packages:

apt-get install syslog-ng-core syslog-ng-mod-sql
apt-get install libdbi1 libdbd-mysql

Depending on the linux/debian/syslog-ng versions you might have to enable one line within the file /etc/default/syslog-ng:

SYSLOGNG_OPTS=”–no-caps”

Apache

Just extract the files into your root web folder, i.e. /var/www/lggr and create a virtual host configuration. You have to adjust the database connection within inc/config_class.php to your needs. Use the read only mysql user.

To secure access to the gui it requires a configured basic authentication. In the root .htaccess file it references an example user file /var/www/webuser. Create it using some command like that:

htpasswd -c /var/www/webuser lggr

and enter a secure password.

For more security use a SSL/https connection to access the web gui.

The cache directory within lggr needs write permissions for the web user.

PHP

You need at least version 7.0, I’m developing using 7.0.33.

stunnel

Creating a tunnel is somewhat more complex. You have to create a CA infrastructure with keys and certificates, distribute them to the clients and configure it correct.

For detailed information have a look at snippet.wiki.

To give some hints:

Enable the stunnel within /etc/defaults/stunnel and create a configuration file /etc/stunnel/stunnel.conf:

CAfile = /etc/stunnel/cacert.pem
CApath = /etc/stunnel/certs/

cert = /etc/stunnel/logserver_cert.pem
key = /etc/stunnel/logserver_nopwd_key.pem
pid =  /var/run/stunnel4.pid

verify = 3
debug = 5
[5140]
accept = 10.10.10.10:5140
connect = 127.0.0.1:514

Where 10.10.10.10 ist your public external IP. Now the stunnel should listen on port 5140 to external connects and forward the decrypted connection to the local syslog tcp port. The path to your pid file might differ.

Client

syslog-ng

Create a file /etc/syslog-ng/conf.d/10lggr.conf with

destination d_net { tcp(“127.0.0.1” port(514) log_fifo_size(1000)); };
log { source(s_src); destination(d_net); };

stunnel

You should have these files:

  • cacert.pem (the personal root certificate of the logging server structure)
  • client_cert.pem (the signed certificate request)
  • client_npwd_key.pem (the private key for that client without password)

Reference to that files within a new configuration file /etc/stunnel/syslog.conf:

client = yes
CAfile = /etc/stunnel/cacert.pem
cert = /etc/stunnel/client_cert.pem
key = /etc/stunnel/client_nopwd_key.pem
verify = 2
debug = 5
[5140]
accept = 127.0.0.1:514
connect = 10.10.10.10:5140

Where the IP 10.10.10.10 is the public external IP of your logging server again.

Cron jobs

You might be interested only in current log entries. To purge old messages run the admin/cron.php in hourly or daily intervals. You can create the file /etc/cron.d/lggr containing:

30 1 * * * www-data /usr/bin/php /var/www/lggr/admin/cron.php
* * * * * www-data /usr/bin/php /var/www/lggr/admin/cron_often.php

On default it keeps the last 4 weeks of entries. Otherwise just add the hours argument to the member function call within cron.php to your needs.

The second cron job admin/cron_often.php runs every minute and prepares server id/name relations.

Locales

To use a localized view your server must have installed the right locales. calling locale -a should list at least en_US.utf8 and maybe de_DE.utf8, add your personal translation as you wish.