Information: Forum is in read-only mode
For details and other support options see https://www.adiscon.com/news/support-forum-set-to-read-only-mode/

demolish the syslog system

Everything related with getting rsyslog up and running (but not beyond that point ;))

Moderator: alorbach

Google Ads


demolish the syslog system

Postby venember » Fri Nov 27, 2015 8:49 am

Hi,

I am a newbie and less than a half-guru. I have a machine on hosting. Only one. I used the syslog without problems and could manage it remotely.
The SuSE Tumbleweed upgrade (from 13.2) completely deteriorate this (and other useful stuffs) and offer an empty rsyslog structure in the machine...
I would not like to learn the whole industrial-grade sophisticated (r)syslog system.... and downgrade it to one log local system...

I would like get back my working syslog system or a simple setup for rsyslog WITHOUT remote logging... I do not want to send the log to anywhere.
Could you help me?

Thanks in advance
Michael
venember
New
 
Posts: 9
Joined: Fri Nov 27, 2015 8:33 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Re: demolish the syslog system

Postby dlang » Fri Nov 27, 2015 12:06 pm

rsyslog doesn't send logs anywhere by default.

why don't you start by telling us what you want to happen with the logs, what is currently happening that you don't want, and show us what your config is.

with the exception of needing to load some modules at the beginning of the config, you should be able to use the exact same config that you were using with syslog
dlang
Frequent Poster
 
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: demolish the syslog system

Postby venember » Sat Nov 28, 2015 10:38 pm

I want a simple, working, logging system, which is logging from (re)start by default.
I was logging the system events (auth/sshd, kernel, security, firewall, boot, wtmp, btmp, zypper, driver-installer, fail2ban, rkhunter, other system services, Xorg, desktops, vnc, etc.) and some other user services (apache2, mail: Postfix, dovecot, spamd, amavis, clamd; mysql, transmission-daemon, plexmediaserver) to var/log(/subdirectory).
The selecting, importance and filtering does not matter.
Obviously I need these logs to logrotate some times.
I do not need spool and sending/receiving to/from servers; only the event logs in some files on my server.

Simply I want to see the log files in the log directory (/var/log) and rotate is period.

In the fresh openSuSE there are two logging systems: rsyslog (as I mentioned above) and a syslog-ng. Only one can be active, but the ng can not use the system resources and have errors. None of the works now.
venember
New
 
Posts: 9
Joined: Fri Nov 27, 2015 8:33 am

Re: demolish the syslog system

Postby dlang » Sun Nov 29, 2015 9:24 am

if you had a working syslog.conf file in the past, you should be able to use almost exactly the same file with rsyslog.

what is the conf file you used before, and what is the rsyslog.conf file that suse puts in place when you install rsyslog?
dlang
Frequent Poster
 
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: demolish the syslog system

Postby venember » Sun Nov 29, 2015 8:59 pm

NO syslog.conf in openSUSE.
https://forums.opensuse.org/showthre...-openSUSE-13-2

If you have WORKING rsyslog files and/or directories, and you send me, I will try it.
It is possible that because the SUSE launched an industrial Novell based enterprise system with lots of security restricrions ant those cause this (apparmor, chroot, policykit).
There is no logging to /var/log at all. It is a big security hole in a WAN server. Luck: the firewall and fail2ban works.
venember
New
 
Posts: 9
Joined: Fri Nov 27, 2015 8:33 am

Re: demolish the syslog system

Postby dlang » Tue Dec 01, 2015 3:09 am

Ok, now I don't understand what you are trying to do.

you make it sound like you had something working and think that switching to rsyslog breaks it.

but you now seem to be saying that you never had anything that did what you want, and are asking us to give you a config that does what you want.


I don't use Suse, so I don't know what is there by default, but I have a hard time believing that they provide _no_ config at all when you install rsyslog. Every other distro includes a simple, default config (and yes, that includes the other 'hardened' and 'enterprise' and 'industrial strength' distros)

I can give you many different configs, but without any understanding of what you are wanting to do with the logs, it's very unlikely that the config I create will do what you want.

you may want to look at some of these links

https://gist.github.com/akheron/909386
http://www.rsyslog.com/doc/rsyslog_conf_examples.html
http://www.rsyslog.com/rsyslog-configuration-builder/
dlang
Frequent Poster
 
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: demolish the syslog system

Postby dlang » Tue Dec 01, 2015 3:09 am

dlang
Frequent Poster
 
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: demolish the syslog system

Postby venember » Tue Dec 01, 2015 10:04 am

I am trying to defend my machine and system from the massive bruteforce attacks on the open net. It is a legacy system with yearly update (with always lots of errors), more than 10 years old.

To this, I need system logs.

The SuSE completely rebuild the logging and security system so I have lost my logs and more the n half of defending facilities. They do not test enough an do not care with legacy systems... build a new instead...

I do not want to UNDERSTAND the logging system, purely I want to USE this.

The syslog-ng and rsyslog are not compatible each other, but I changed them for tests.

The first thing that I want to SEE the log records.

I had tests lasting one week. I read the documentation. I made experiences with different setups. The result is a half-working log system with totally different log records (mail and fali2ban is running but not logging yet) so I hardly manage to it.
This situation is most dangerous and I do not know what the SUSE developers think: everybody will use a commercial logging, audit, policy, security and logging system, which is basically developed for commercial big firms?

If you want to look into my my machine, I will let it to see. Or forget it.
My opinion is that the WORKING logging system is FUNDAMENTAL for every operating systems. And not by the users. And should not have to let to upgrade without it.
venember
New
 
Posts: 9
Joined: Fri Nov 27, 2015 8:33 am

Re: demolish the syslog system

Postby venember » Tue Dec 01, 2015 10:52 am

journal

Dec 01 10:18:24 mysystem sshd[4702]: error: PAM: Authentication failure for root from 59.45.79.51
Dec 01 10:18:30 sshd[4748]: error: PAM: Authentication failure for root from 59.45.79.51
Dec 01 10:18:33 sshd[4748]: error: PAM: Authentication failure for root from 59.45.79.51
Dec 01 10:18:36 sshd[4748]: error: PAM: Authentication failure for root from 59.45.79.51
Dec 01 10:18:38 sshd[4748]: error: PAM: Authentication failure for root from 59.45.79.51
Dec 01 10:18:41 sshd[4748]: error: PAM: Authentication failure for root from 59.45.79.51
Dec 01 10:18:45 sshd[4748]: error: PAM: Authentication failure for root from 59.45.79.51

The kern, firewall, syslog, and btmp contain relevant records but not sshd not exists.

rsyslog.conf

##
## === When you're using remote logging, enable on-disk queues ===
## === in rsyslog.d/remote.conf. When neccesary also set the ===
## === SYSLOG_REQUIRES_NETWORK=yes in /etc/sysconfig/syslog, ===
## === e.g. when rsyslog has to receive on a specific IP only. ===
##
## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules
## (provided in separate rsyslog-module-* packages) are enabled, the
## configuration can't be used on a system with /usr on a remote
## filesystem, except on newer systems where initrd mounts /usr.
## [The modules are linked against libraries installed bellow of
## /usr thus also installed in /usr/lib*/rsyslog because of this.]
##

#
# if you experience problems, check
#
# and report them at
#

# since rsyslog v3: load input modules
# If you do not load inputs, nothing happens!

# provides --MARK-- message capability (every 1 hour)
$ModLoad immark.so
$ModLoad imudp.so
$ModLoad imtcp.so

$MarkMessagePeriod 3600

# provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock.so

# reduce dupplicate log messages (last message repeated n times)
$RepeatedMsgReduction on

# kernel logging (may be also provided by /sbin/klogd)
# see also xxxx://www.rsyslog.com/doc-imklog.html.
$ModLoad imklog.so
# set log level 1 (same as in /etc/sysconfig/syslog).
$klogConsoleLogLevel 5

# Use rsyslog native, rfc5424 conform log format as default
# ($ActionFileDefaultTemplate RSYSLOG_FileFormat).
#
# To change a single file to use obsolete BSD syslog format
# (rfc 3164, no high-precision timestamps), set the variable
# bellow or append ";RSYSLOG_FileFormat" to the filename.
# See
#
# for more informations.
#
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Include config generated by /etc/init.d/syslog script
# using the SYSLOGD_ADDITIONAL_SOCKET* variables in the
# /etc/sysconfig/syslog file.
#
$IncludeConfig /run/rsyslog/additional-log-sockets.conf

#
# Include config files, that the admin provided? :
#
$IncludeConfig /etc/rsyslog.d/*.conf


###
# print most important on tty10 and on the xconsole pipe
#
if ( \
/* kernel up to warning except of firewall */ \
($syslogfacility-text == 'kern') and \
($syslogseverity <= 4 /* warning */ ) and not \
($msg contains 'IN=' and $msg contains 'OUT=') \
) or ( \
/* up to errors except of facility authpriv */ \
($syslogseverity <= 3 /* errors */ ) and not \
($syslogfacility-text == 'authpriv') \
) \
then {
/dev/tty10
|/dev/xconsole
}

if $programname == 'fail2ban' then /var/log/fail2ban.log
& stop

# Emergency messages to everyone logged on (wall)
*.emerg :omusrmsg:*

# enable this, if you want that root is informed
# immediately, e.g. of logins
#*.alert root

auth,authpriv.* /var/log/auth
*.*;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon
kern.* -/var/log/kern
lpr.* -/var/log/lpr
mail.* -/var/log/mail
user.* -/var/log/user

*.=debug;\
auth,authpriv.none;\
news.none;mail.none -/var/log/debug

#
# firewall messages into separate file and stop their further processing
#
if ($syslogfacility-text == 'kern') and \
($msg contains 'IN=' and $msg contains 'OUT=') \
then {
-/var/log/firewall
stop
}


#
# acpid messages into separate file and stop their further processing
#
# => all acpid messages for debuging (uncomment if needed):
#if ($programname == 'acpid' or $syslogtag == '[acpid]:') then \
# -/var/log/acpid
#
# => up to notice (skip info and debug)
if ($programname == 'acpid' or $syslogtag == '[acpid]:') and \
($syslogseverity <= 5 /* notice */) \
then {
-/var/log/acpid
stop
}


#
# NetworkManager into separate file and stop their further processing
#
if ($programname == 'NetworkManager') or \
($programname startswith 'nm-') \
then {
-/var/log/NetworkManager
stop
}


#
# email-messages
#
mail.* -/var/log/mail
mail.info -/var/log/mail.info
mail.warning -/var/log/mail.warn
mail.err /var/log/mail.err


#
# news-messages
#
#news.crit -/var/log/news/news.crit
#news.err -/var/log/news/news.err
#news.notice -/var/log/news/news.notice
# enable this, if you want to keep all news messages
# in one file
#news.* -/var/log/news.all


#
# Warnings in one file
#
*.=warning;*.=err -/var/log/warn
*.crit /var/log/warn


#
# the rest in one file
#
*.*;mail.none;news.none -/var/log/messages


#
# enable this, if you want to keep all messages
# in one file
#*.* -/var/log/allmessages


#
# Some foreign boot scripts require local7
#
local0.*;local1.* -/var/log/localmessages
local2.*;local3.* -/var/log/localmessages
local4.*;local5.* -/var/log/localmessages
local6.*;local7.* -/var/log/localmessages

###
venember
New
 
Posts: 9
Joined: Fri Nov 27, 2015 8:33 am

Re: demolish the syslog system

Postby rgerhards » Tue Dec 01, 2015 5:53 pm

I have googled a bit: OpenSuse seems to no longer install a syslogd, they have switched to journal only. That's probably the root cause of this issue. I suggest to open a ticket with Suse.

HTH
Rainer
rgerhards
Site Admin
 
Posts: 3807
Joined: Thu Feb 13, 2003 11:57 am

Re: demolish the syslog system

Postby dlang » Tue Dec 01, 2015 7:56 pm

My opinion is that the WORKING logging system is FUNDAMENTAL for every operating systems. And not by the users. And should not have to let to upgrade without it.


We fully agree. You seem to be angry at us for the changes to your system. Your anger is misplaced, you need to be upset at Suse and the systemd developers, not us. The systemd people believe that they know what you want and all that you need is what they give you. The systemd developers have made it so that you have to understand their system, at least a little bit, in order to use anything else. You are going to have to understand whatever logging system you select in order to use it.

now that we understand that the problem is that the new Suse build is systemd journal only, it makes it a lot easier to understand what's going on.

So to run rsyslog on a systemd system, you have two basic options

1. work to disable the systemd journal as much as possible so that rsyslog/syslog-ng can receive logs as they traditionally have

2. configure rsyslog/syslog-ng to retrieve logs from the systemd journal

If you go the first route, you will have to lookup how to make the systemd journal not grab /dev/log. once you do that, you can basically ignore the journal and rsyslog/syslog-ng will work as they traditionally have

If you go the second route, all logs will go to the systemd journal, and then be retrieved by the syslog daemon. This is more overhead, and you have to worry about the space used by the systemd journal as well as what the syslog daemon does with the logs. If you go this route with rsyslog, you will need to configure imjournal to retrieve the logs. this would replace the imuxsoc module. If you aren't doing remote logging, you shouldn't need imudp or imtcp. Once you get the appropriate input module configured, the rest of your config should work
dlang
Frequent Poster
 
Posts: 1002
Joined: Mon Sep 15, 2008 7:44 am

Re: demolish the syslog system

Postby venember » Wed Dec 02, 2015 7:43 am

Thank you.

I think that if somebody goes to war he should better do not assemble his weapon on the battleground... the better solution is to carry a working one with him.

Apparently the only one mainly error-free logging procedure the journal. It seems that the SuSE do not support legacy logging systems and/or not tested their distribution on legacy systems at all.
They also built up an industrial-wide policykit system which wrote over the root privileges at the beginning... I could not reboot the system by remote firstly...
But if somebody deletes the polkit, it erases the desktop system also... it is a tragedy.

The machine is on the battleground. The third solution that I will build up a homemade log and defense system using journald and some other basic log files... ridiculous and disastrous.

I was trying the second way and the system logging stopped twice because of the disk was full. The /var space is 200GB... and the mail and fail2ban did not log at all. And at the end the journald freezes with errors... I was trying a lot and I learned a lot about rsyslog via my mistakes... I will try the imjournal (I have not heard about it till now) maybe it helps...
venember
New
 
Posts: 9
Joined: Fri Nov 27, 2015 8:33 am

Re: demolish the syslog system

Postby venember » Wed Dec 02, 2015 8:23 am

Hi,

everything seems to be working... Th imjournal was the clue.
I will check the whole logging system and re-tune the log-manage...
I have two working log systems now... :), the only problem that I switched on/off lots of setup parameters in my pain...

Thanks for all.
venember
New
 
Posts: 9
Joined: Fri Nov 27, 2015 8:33 am

Google Ads



Return to Installation

Who is online

Users browsing this forum: No registered users and 1 guest

cron