Using the module module in RSyslog is a bit complicated at first.We will describe in this article how to configure the basic components to use registration standardization.In addition, we will show you how to configure these components so that the messages will be divided into information.This part information should be recorded in a database for review with Adiscon Loganalyzer.
This guide was tested with RSyslog v5.8.0 and LibnognoM 0.3, liberate 0.3.
The purpose of this guide is to have a configuration, which will have a message analyzed by the standardization tool, put some message content on specific properties.These properties will be filled in a special database format, which must be reviewed by Adiscon Loganalyzer.
To use normalization, we need the following:
In the additional process, we need additional elements:
- Apache web server with php5
- MySQL Database (usually with phpmyadmin)
- Adiscon Loganalyzer
Step 1: RSYSLOG Configuration and Standardization of Record
First, we need to configure RSyslog for the standardization of records.So, before installing RSyslog, we'll install Liblognorm, Libee and Libest.They can be installed according to thisguide.Ahora can be installed rsyslog.Stair phone.Cambie in the frame in which you installed RSyslog.Agora use the following commands to configure RSyslog correctly:
./configure ---libdir =/lib-sbindir =/sbin --enable-mysql --enable-mmnormalizemakemake Instalaciación
If everything is correct, the installation procedure must be successfully completed.
$ Modload mark $ modload iMuxSock $ modload mklog $ modlog mmnormiliz
$ UDPSERVERRUN 514
$ mmnormalyuserawmsg 1 $ mmNormalizerLeBaseBase /rsyslog/rulebase.rb*.*: mmnormalize:
$ Model Database, "Insert in standard values (Data, Uhost, Msngumer, Protocol, Ipin, Ipout, Portin, Portout) ('%$! Date%', '%$! Ohost%', '%$!Msgnumemer %',' %$!
*.*: Ommysql: 172.19.3.17, syslog, test, test; database
This is all for our RSyslog configuration.It seems quite complicated right now.Parameters to start the standardization of messages., We tell RSyslog to use standardization in all messages.The following line describes the model for the processed message.In the end, there should be a SQL insertion statement that puts all the variables analyzed in its corresponding fields in the "normalized" table the last line is finally the action that makes RSyslog write all messages (those created by the model, the SQL statement, in a remote data base.
After configuration, we still need to configure a rules base.This is done in a separate file.For our example, the rules base must be the following file: /rsyslog/rulebase.rb
The file must be seen as follows:
Regla =:%Closes: CLOSED-RFC3164 %% UHOST: WORD %% Tag: PALABRA%NOTUED: Char-to%:%msgnumber: Char-to: x3a%: Access-listinside_access_in permitted%Protocol: Palabra%Inner/%IPIN: IPv4%(Portin: Number%) -> Outside/%Ipout: IPv4%(portout: number%)%notud2: char -to:]%]
The rule is basically a line.The opposite can be shown here due to web design restrictions.Basically, it is a message format.The different parameters of a rule are shown in aDifferent guideThe rule we have here must look like the following message:
May 16th 07:23:09 BHG-FW: %ASA-4-106100: Inside_access_in access list allowed TCP Inside/10.200.22.183 (2969)-> Outside/220.127.116.11 (80) Hit-CNT 1 First success[0x48e9e9c345, 0x386bad81]
If you want to have multiple messages, where the format differs, you also need various rules.The rules should be as accurate as possible to look like the message.If a message does not fit any listed rule, it will no longer be processed.Some others what should be indicated is to keep the rules variable as well.The opposite, the message can fit the rule again.
Step 2: Database Settings
We assume that it already has a server with a database and installed web server.The installation of the components must be done according to the instructions provided by the software manufacturer.Therefore, we cannot give any examples to this.
But we need a specific database scheme for our example here.So we need to show this at least.As before, we have some specific parts of the message filled in properties.These properties must be written in the database.So here there is the basic statement of SQL to create the table according to our needs:
Believe Tabla Normalize (ID int not signed in null auto_inchrement clef primaria, closes Datetime null, host, portin int null, portout int null)
You can perform this instruction as you wish.It is currently designed for a MySQL database;Therefore, it is possible that some bits change if you are using a different database.
3. Use of Adiscon Loganalyzer with this database
Adiscon Loganalyzer can be used to review data from this database.Installation of Adiscon LoganalyzerIs shown here.Dear that we will need the Administration Center.Then you think of creating a user database when installing.
It aims at your browser to install Adiscon Loganalyzer.Now we have to go to the Administration Center.We have to establish some pieces to fit our custom shape.
First, we need to add some fields.We need to do this so we can use the custom fields in our database with Loganalyzer.Standard, the field list only basically reflects the monitor database scheme.In the fields of the Center Administration, a list of the fields currently available:
By clicking adding new field, we can create a new field.
We need to create only 7 new fields, although we have 8 custom fields in the table., Portin and Portout.
Basically, the details of the field should be seen like this:
To finally create the field, click the "Add New Field" button.
Together with the fields that are only for internal use at Adiscon Loganalyzer, we need to create a personalized database allocation.So go to dbmapping at the Administration Center.It will see a list of current database allocations currently available.
Click Add New Database Allocation:
Here we must say Adiscon Loganalyzer, which field we create depends on which database.First, the name of your database first.After that, choose the fields we need from the Drop -Robnet menu and click "Add field assignment to the list." The final step will be to enter the database field names on the list.Now he must be seen now:
Finally, click "Add New Database Mapping".This will save the allocation and take it to the DBMapping list.
The next step we need to adjust is the views.In the views you can configure, what Loganalyzer should show.This is related to data stored in the database.Basically, a view should represent the type of record they are stored.For example, if you use the display for Windows event records, but it has a database where Syslog Linux is stored, many fields will be shown as gaps because they are not full of Windows event records.We need a personalized view.
He will come by clicking on the sight of the Administration Center.
There are already pre -configured views for Windows Eventlog, Syslog and Webserver Records.However, we need a completely different view.A new view can be configured by clicking "Add New Show" at the bottom of the list.
You must name your view.If desired, it can restrict the use of this view to certain users or groups, but we will omit it for now.The most important part is to select the fields that should be shown.This is done in "configured columns"
After clicking the button, the new view should appear on our list.
Finally, we need to create a source.When installing Adiscon Loganalyzer, you can now configure a source.For our example, we need to create another source.So go to sources at the Administration Center.
You will see a list of configured sources.Currently, you have a source.To click add new source, you can create another.
Basically, we need to insert an origin name.If you want, you can also create a description.Shake the type of origin for the MySQL native.You can also select a predetermined view.Ellije.If you want, you can restrict the source to a user or group.
We still need to change the database type options.As you can see, the fields have changed to establish the type of origin in the MySQL native.As a table type, choose the type of Lognor we created before.Intense the details as your database needs them.The full form should be seen now:
Finish the new source by clicking on the new source.Now she must appear on the list.
Although this scenario seems very complex, it shows in the end how some things may be later.This configuration shows exactly how Adiscon product line products can work together.And we have a good example about how standardization works.
Use of the RSyslog mmnormal module effectively with Adiscon Loganalyzer