[How to] install a syslog server jail

Visseroth

Guru
Joined
Nov 4, 2011
Messages
546
So I'm not sure if I should start a new thread or wake this thread back up.
I'm attempting to install a syslog server in iocage and obviously php56 is out of date so I'm trying with 73 and so far so good but I get the point of installing the LogAnalyzer and I have to stop because there is no log analyzer, instead I see...

Code:
log_analysis/       logrotate/          logstash-forwarder/ logstash6/          logwatch/
log-courier/        logstalgia/         logstash5/          logtool/


I assume I should use "log_analysis" but you know what happens when we assume.

The following are my so far modified notes and command list from the original post. Any help would be appreciated. I'm really getting tired of not having a syslog server to allow me to filter through what's been going on in my network.
You'll see that I stopped at the LogAnalyzer because I couldn't proceed without more information from someone that knows more than I do.
Any help is MUCH appreciated.

Code:
nano /etc/rc.conf

Install Apache
Apache is a popular open source web server
Code:

cd /usr/ports/www/apache24 && make install clean BATCH=yes


Configure Apache to run at boot
Code:

echo 'apache24_enable="YES"' >> /etc/rc.conf


Start Apache
Code:

service apache24 start


The error "Could not reliably determine the server's fully qualified domain name" is normal at this point
Test connection to http://{jail IP address}
You should see "It Works!" web page

Configure Apache
Code:

nano /usr/local/etc/apache24/httpd.conf


Find these lines and change them
Code:

ServerName syslogserver.local
DirectoryIndex index.html index.php


Add these lines to end of the file
Code:

<FilesMatch "\.php$">
  SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
  SetHandler application/x-httpd-php-source
</FilesMatch>

Alias /phpmyadmin "/usr/local/www/phpMyAdmin"

<Directory "/usr/local/www/phpMyAdmin">
Options None
AllowOverride None
Require all granted
</Directory>


Save the file and exit nano. Restart Apache
Code:

service apache24 restart


The error "Could not reliably determine the server's fully qualified domain name" goes away

Install MySQL
MySQL is a popular open source database server
Code:

cd /usr/ports/databases/mysql56-server && make install clean BATCH=yes


Configure MySQL to run at boot
Code:

echo 'mysql_enable="YES"' >> /etc/rc.conf


Start MySQL
Code:

service mysql-server start


Add a root user to MySQL. MySQL logins are separate from FreeBSD logins, so this could be completely different. For this tutorial I am keeping it the user name and password as the OS login. Feel free to substitute your own password
Code:

/usr/local/bin/mysqladmin -u root password 'qazWSX'


Install PHP
PHP is a server-side scripting language for web development
Code:

cd /usr/ports/lang/php73 && make install clean BATCH=yes
cd /usr/ports/www/mod_php73 && make install clean BATCH=yes
cd /usr/ports/databases/php73-pdo_mysql && make install clean BATCH=yes



Configure PHP
Copy the sample configuration ini and modify it
Code:

cp /usr/local/etc/php.ini-development /usr/local/etc/php.ini
nano /usr/local/etc/php.ini


Find these lines about halfway through the file. Uncomment and modify them. You should use your own timezone https://php.net/manual/en/timezones.php
Code:

extension=php_mbstring.so
extension=php_pdo_mysql.so
date.timezone = America/Los_Angeles


Test PHP
Create a new file
Code:

nano /usr/local/www/apache24/data/test.php


Add these lines to the file
Code:

<?php
phpinfo();
?>


Restart Apache
Code:

service apache24 restart


Test connection to http://{jail IP address}/test.php
You should see a detailed information page on Apache and PHP

(Optional) Install phpMyAdmin
phpMyAdmin is a graphic interface to administer MySQL. It's not necessary for this tutorial, but may be useful later. You can also skip this for now and install it later.
Code:

cd /usr/ports/databases/phpmyadmin/ && make install clean BATCH=yes


Configure phpMyAdmin
Code:

mkdir /usr/local/www/phpMyAdmin/config && chmod o+w /usr/local/www/phpMyAdmin/config
chmod o+r /usr/local/www/phpMyAdmin/config.inc.php
service apache24 restart


    Open http://{jail IP address}/phpmyadmin/setup
    Select "New server"
    Select the "Authentication" tab
    Under the "Authentication type" choose "http" from the drop-down list  (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php)
    Remove "root" from the "User for config auth"
    Select "Apply"
    You will be returned you to the Overview page where you should see a new server listed
    Select “Save” in the Overview page
    Saves configuration as /usr/local/www/phpMyAdmin/config/config.inc.php
    Move newly created config so php uses it

Code:

mv /usr/local/www/phpMyAdmin/config.inc.php /usr/local/www/phpMyAdmin/


Open http://{jail IP address}/phpmyadmin/ and login to test ( root / qazWSX )

Config directory is no longer needed. Remove it, as well as the read permission added previously
Code:

rm -r /usr/local/www/phpMyAdmin/config
chmod o-r /usr/local/www/phpMyAdmin/config.inc.php



Install rsyslog
rsyslog is a drop in replacement for syslog with additional features
Code:

cd /usr/ports/sysutils/rsyslog8 && make install clean


Select "MYSQL - MySQL output module for rsyslog" and then select "OK", accept defaults for all other options

Replace syslogd with rsyslogd
Code:

/etc/rc.d/syslogd stop
echo 'syslogd_enable="NO"' >> /etc/rc.conf
echo 'rsyslogd_enable="YES"' >> /etc/rc.conf
ln -s /usr/local/etc/rc.d/rsyslogd /etc/rc.d/rsyslog



Create the rsyslog database
Code:

mysql -u root -p


enter password qazWSX
In the mysql> prompt, enter the following commands (change the password on the last line if you are not using qazWSX
Code:

CREATE DATABASE Syslog;
USE Syslog;
CREATE TABLE SystemEvents
(
  ID int unsigned not null auto_increment primary key,
  CustomerID bigint,
  ReceivedAt datetime NULL,
  DeviceReportedTime datetime NULL,
  Facility smallint NULL,
  Priority smallint NULL,
  FromHost varchar(60) NULL,
  Message text,
  NTSeverity int NULL,
  Importance int NULL,
  EventSource varchar(60),
  EventUser varchar(60) NULL,
  EventCategory int NULL,
  EventID int NULL,
  EventBinaryData text NULL,
  MaxAvailable int NULL,
  CurrUsage int NULL,
  MinUsage int NULL,
  MaxUsage int NULL,
  InfoUnitID int NULL ,
  SysLogTag varchar(60),
  EventLogType varchar(60),
  GenericFileName VarChar(60),
  SystemID int NULL
);
CREATE TABLE SystemEventsProperties
(
  ID int unsigned not null auto_increment primary key,
  SystemEventID int NULL ,
  ParamName varchar(255) NULL ,
  ParamValue text NULL
);
grant all privileges on Syslog.* to 'root'@'%' identified by 'qazWSX' with grant option;


ctrl-c to quit mysql

Make missing rsyslog directory
mkdir /var/spool/rsyslog

Configure rsyslog
Code:

nano /usr/local/etc/rsyslog.conf


paste following into the new, blank file
change the subnet on line 4 to match your network
change the password on the last line if you are not using qazWSX
Code:

$ModLoad immark  # provides --MARK-- message capability
$ModLoad imuxsock  # provides support for local system logging
$ModLoad ommysql  # load MySQL functionality
$AllowedSender UDP, 192.168.1.0/24 # depends on your subnet obviously
# for TCP use:
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")
# for UDP use:
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$WorkDirectory /var/spool/rsyslog
$FileOwner root
$FileGroup wheel
$FileCreateMode 0777
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser root
$PrivDropToGroup wheel
$IncludeConfig /etc/rsyslog.d/*.conf
*.*  :ommysql:127.0.0.1,Syslog,root,qazWSX



Start rsyslog check to see it is working
Code:

service rsyslog start
mysql -u root -p


enter the password qazWSX

enter the following query
Code:

USE Syslog;
SELECT * FROM SystemEvents;


(should get back 3-4 records)
ctrl-c to quit mysql

Install LogAnalyzer
LogAnalyzer is a web interface for browsing the syslog server database
Code:

cd /usr/ports/sysutils/loganalyzer && make install clean DEFAULT_VERSIONS=php=73
 
Last edited:

xames

Patron
Joined
Jun 1, 2020
Messages
235
Is out there a simple plugin or fast script to run a syslog on freenas? a @danb35 script could be fantastic.

A docker with graylog.com is another good point, any tutorial or ideas?
 
Last edited:
Top