I've been following this rsyslog/logstash article to try to ship my applications' log files to a remote server, via rsyslog. From that page, here are the steps I've taken. Note that firewall and SELinux are off on both client (VM sending logs) and server (VM receiving logs). I have proven via netcat utility that I can send packets between client and server.
On my client side, I've configured my /etc/rsyslog.conf file like so:
# Load the imfile module
module(load="imfile" PollingInterval="10")
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Debugging
$DebugFile /var/log/rsyslog-debug.log
$DebugLevel 2
# General configuration
$RepeatedMsgReduction off
$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName mainqueue
$ActionQueueMaxDiskSpace 500M
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
# Template for non json logs, just sends the message wholesale with extra
# # furniture.
template(name="textLogTemplate"
type="list") {
constant(value="{ ")
constant(value="\"type\":\"")
property(name="programname")
constant(value="\", ")
constant(value="\"host\":\"")
property(name="%HOSTNAME%")
constant(value="\", ")
constant(value="\"timestamp\":\"")
property(name="timestamp" dateFormat="rfc3339")
constant(value="\", ")
constant(value="\"#version\":\"1\", ")
constant(value="\"role\":\"app-server\", ")
constant(value="\"sourcefile\":\"")
property(name="$!metadata!filename")
constant(value="\", ")
constant(value="\"message\":\"")
property(name="rawmsg" format="json")
constant(value="\"}\n")
}
On client side, I have /etc/rsyslog.d/01-trm-error-logs.conf
input(type="imfile"
File="/usr/share/tomcat/dist/logs/trm-error.log"
Tag="trm-error-logs:"
readMode="2"
escapeLF="on"
)
if $programname == 'trm-error-logs:' then {
action(
type="omfwd"
Target="my.remoteserver.com"
Port="514"
Protocol="tcp"
template="textLogTemplate"
)
stop
}
On server side, I have in my /etc/rsyslog.conf
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
I've restarted the rsyslog service on both sides.
However, I don't see logs being shipped out. I do see the contents of /usr/share/tomcat/dist/logs/trm-error.log in /var/log/messages, though I do NOT want them to appear there. I do see the contents of /usr/share/tomcat/dist/logs/trm-error.log being read per the contents of the /var/log/rsyslog-debug.log file I generate.
I do run the following on the client machine, and see nothing.
tcpdump -i eth0 -n host my.remoteserver.com -P out -vvv
This turned out to be firewall issue on the server. i did stop the firewall, but did NOT disable it, so when I restarted the server, it was back on.
Related
my client machine has syslog-ng and my remote machine has rsyslog configuration.
my server/remote machine manages many clients and I need to differentiate which machine is sending which logs.
normally I would use syslog-ng on the server side but these machines aren't meant to have them.
Also would like to mention it isn't for apache or web servers just physical machines.
On the client's side
Tried altering and adding different options or changing them to yes/no respectively.
options {
keep_hostname(yes);
create_dirs(no);
use_dns(no);
};
for eg:keep_hostname to no, it worked but only when I changed the hostname to the machine's ip address. which is not what I want.
Using a template
template("$(ISODATE) $(FULLHOST_FROM) $(SOURCEIP) $(HOST) $(HOSTNAME) ${PROGRAM}: ${MESSAGE}\n")
output:
day time localhost abc[ID] .source.s_local SourceIP=127.0.0.1 localhost localhost (root) CMD (xyz.conf)#ID
this isn't the output I want, it is printing in the message section when I want it in the place of the "host" and I don't understand how the source ip is the loopback address.
Using structured logging
rewrite r_sourceip{
set('${SOURCEIP}' value(HOST));
};
log { source(s_local); rewrite(r_sourceip);destination(d_syslog_tcp); };
output:
and the ip is displayed in the logs as the loopback address instead of the machine ip.
day date time 127.0.0.1 syslog-ng.service: Succeeded.
Tried installing rsyslog on my client but it doesn't work
sudo add-apt-repository ppa:adiscon/v8-stable
sudo apt-get update
sudo apt-get install rsyslog
I kept running into many errors, fixing them was impossible due to the difference in OS version or type maybe.
add apt repository command not found
wget command not found
On the server's side
Using a template
which creates a folder with the client's hostname and stores the logs in that particular folder.
not the solution I want.
$template DynaFile,"/var/log/%FROMHOST-IP%/%syslogfacility-text%.log"
*.* -?DynaFile
I want the logs to appear as such
day date time `client's ip address` syslog-ng.service: Succeeded.
Can someone suggest me a solution and why I keep getting the loopback address as my client's ip?
I use WebStorm and working with React. from some moment IDE just stoped watching for file changes and now I have to reload my server to see the changes. I have no idea what I did.
I found this (https://blog.jetbrains.com/idea/2010/04/native-file-system-watcher-for-linux/) page, but it's not helpful for me. my /etc/sysctl.conf is now looking like this:
# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
###################################################################
# Magic system request Key
# 0=disable, 1=enable all
# Debian kernels have this set to 0 (disable the key)
# See https://www.kernel.org/doc/Documentation/sysrq.txt
# for what other values do
#kernel.sysrq=1
###################################################################
# Protected links
#
# Protects against creating or following links under certain conditions
# Debian kernels have both set to 1 (restricted)
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
#fs.protected_hardlinks=0
#fs.protected_symlinks=0
#fs.inotify.max_user_watches=524288
This usually happens when the project is large and contains many files.
I have also faced a similar issue. I solved it by increasing the file watch size.
Just uncomment the line fs.inotify.max_user_watches=524288 from the file /etc/sysctl.conf and save it. To load the new setting run sudo sysctl -p in the terminal
I am configuring the haproxy.cfg file for haproxy. i need to add cipher suite in this file. for that i am using bind command. My bind command is as below.
bind 0.0.0.0:443 ssl crt /etc/ssl/certs/private1.pem nosslv3
prefer-server-ciphers ciphers
TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:#STRENGTH
With bind command bind *:443 it is working fine. once i add the other arguments its throwing error.
After including this command in haproxy.cfg file and restarting the haproxy service. i am getting the error.
**
[ALERT] 164/074924 (31084) : parsing [/etc/haproxy/haproxy.cfg:80] : 'bind' only supports the 'transparent', 'defer-accept', 'name', 'id', 'mss' and 'interface' options.
[ALERT] 164/074924 (31084) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 164/074924 (31084) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.
**
For resolving this issue i tried to install "libssl-dev" package. but i am not able to install that package also.
**Please guide me to do this. and i need to know is it neccesary to give the pem file entry in bind, or i can directly include cipher itself like this.
bind *:8443 ciphers TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:#STRENGTH**
Appending my haproxy.cfg file below.
**#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
# main frontend which proxys to the backends
frontend inbound
mode http
bind 0.0.0.0:443 ssl crt /etc/ssl/certs/private1.pem nosslv3 prefer-server-ciphers ciphers TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!3DES:#STRENGTH
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
backend postgresqlcluster1
mode http
balance roundrobin
server postgres1 192.44.9.101:8080 check**
You need to be using 1.5-dev19+ (current is 15.-dev26) to utilize any of the ssl functionality; based on the error and the config excerpt, it looks like you are running 1.4.
I'm unable to write log messages into syslog. Any help would be great.
Here is my simple log4j program
import org.apache.log4j.Logger;
import java.io.*;
import java.sql.SQLException;
import java.util.*;
public class log4jExample
{
/* Get actual class name to be printed on */
static Logger log = Logger.getLogger(log4jExample.class.getName());
public static void main(String[] args) throws IOException,SQLException
{
log.error("Hello this is an error message");
log.info("Hello this is an info message");
log.fatal("Fatal error message");
}
}
My syslog properties file
# configure the root logger
log4j.rootLogger=INFO, SYSLOG
# configure Syslog facility LOCAL1 appender
log4j.appender.SYSLOG=org.apache.log4j.net.SyslogAppender
log4j.appender.SYSLOG.threshold=WARN
log4j.appender.SYSLOG.syslogHost=localhost
log4j.appender.SYSLOG.facility=LOCAL4
log4j.appender.SYSLOG.layout=org.apache.log4j.PatternLayout
log4j.appender.SYSLOG.layout.conversionPattern=[%p] %c:%L - %m%n
Add the following lines to rsyslog.conf file
$ModLoad imudp
$UDPServerRun 514
It worked for me.
Need to restart the rsyslog after modfications.
The answer from #Sandeep above is the correct one, but it's from 2012 so I wanted to expand a little bit for folks who are using more recent setups. For instance, on Ubuntu 18.04 the /etc/rsyslog.conf file now has data near the top of the file that looks like this:
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
Uncommenting the two UDP lines and then running sudo service rsyslog restart worked for me. The Java Log4J Syslog appender (https://logging.apache.org/log4j/1.2/apidocs/org/apache/log4j/net/SyslogAppender.html) expects syslog to be listening on UDP port 514 on localhost.
As a potential further security improvement, you may also consider binding to the loopback address so port 514 isn't visible external to the host if you don't need it to be:
input(type="imudp" port="514" address="127.0.0.1")
It's also possible to make this update without having to touch the existing /etc/rsyslog.conf file; instead you can add a new conf file under the /etc/rsyslog.d/ directory, e.g. /etc/rsyslog.d/10-open-upd-port.conf, that only contains these lines:
module(load="imudp")
input(type="imudp" port="514" address="127.0.0.1")
And then restart the rsyslog daemon as described above.
To see whether or not the rsyslog daemon is actively listening on the UDP port 514, I found this command useful as well: sudo lsof -iUDP:514 -nP -c rsyslogd -a (show listeners on port UDP 514 whose command is "rsyslogd").
I observed some strange behaviour while trying to create ipsec connection.
I configured ipsec between cisco asa and my Linux box and it works as expected. But when I restart the network service on my Linux box or restart the port on the cisco side, the tunnel stops working but tunnel status is up:
/etc/init.d/ipsec status
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
IPsec running - pluto pid: 2684
pluto pid 2684
1 tunnels up
some eroutes exist
When I try to connect to the other side (telnet, ping, ssh), the connection doesn't work.
My /etc/ipsec.conf looks like this:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
And my /etc/ipsec.d/myvpn.conf looks like this:
conn myvpn
authby=secret # Key exchange method
left=server-ip # Public Internet IP address of the
# LEFT VPN device
leftsubnet=server-ip/32 # Subnet protected by the LEFT VPN device
leftnexthop=%defaultroute # correct in many situations
right=asa-ip # Public Internet IP address of
# the RIGHT VPN device
rightsubnet=network/16 # Subnet protected by the RIGHT VPN device
rightnexthop=asa-ip # correct in many situations
auto=start # authorizes and starts this connection
# on booting
auth=esp
esp=aes-sha1
compress=no
When I restart the openswan service everything starts working, but i think there should be some logic that does this automatically. has anyone an idea what i am missing?
You probably want to enable dead peer detection if available on both sides. Dead peer detection notices when the tunnel isn't actually working anymore and disconnects or resets it.
If not available, you can also try changing your session renegotiation time down very low; your tunnel will create new keys frequently and set up new tunnels to replace the old ones on a regular basis effectively recreating the tunnel after that timeout when the session has gone down.
For PPP sessions on Linux myself, I simply have a "service ipsec restart" in /etc/ppp/ip-up.local to restart all tunnels whenever the PPP device comes back online.
YMMV.
Just try DPD, but not work.
So I just learned from mikebabcock.
add the following line in my /etc/ppp/ip-down
service ipsec restart
With this workaround, now L2TP/IPSec worked like a charm.
I don't like the idea restarting ipsec every time you lose connection. Actually /usr/libexec/ipsec/_updown is ran on different actions in ipsec. The same script can be run on leftupdown/rightupdown. But the problem is that it doesn't perform any actual command when the remote client connects back to your host. To fix this issue you need add doroute replace after up-client) in /usr/libexec/ipsec/_updown.netkey (if you use Netkey of course):
# ...skipped...
#
up-client)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
doroute replace
#
# ...skipped...
But be aware, this file will be overwritten, if you update your packages, so just put it somewhere else, and then add the following commands to your connection config:
rightupdown="/usr/local/libexec/ipsec/_updown"
leftupdown="/usr/local/libexec/ipsec/_updown"
Now the routes will be restored as soon as the remote connects back to your server.
Also to me, for strange reasons DPD not work properly in every situation.
I use this script to check every minute the status. The scripts runs on the Peer (e.g. the Firewall):
C=$(ipsec auto --status | grep "established" | wc -l)
if [ $C -eq 0 ]
then
echo "Tunnel is down... Restarting"
ipsec restart
else
echo "Tunnel is up...Bye!"
fi
this could happen because of iptables rules.
Be sure to have enabled the udp port 500 and the esp protocol towards the remote public ip address.
Example:
iptables -A OUTPUT -p udp -d 1.2.3.4 --dport 500 -j ACCEPT
iptables -A OUTPUT -p esp -d 1.2.3.4 -j ACCEPT
Bye