|
Rsyslog : Output Logs to Database
2016/09/12 |
|
Configure Rsyslog to output logs to Database.
|
|
| [1] |
It's possible to select a database from some mainly used products in the world, this example shows to configure with MariaDB,
so Install and start MariaDB server, refer to here.
|
| [2] | Create a user and Database for Rsyslog. |
|
root@dlp:~#
root@dlp:~# apt-get -y install rsyslog-mysql mysql -u root -p Enter password: Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 43 Server version: 10.0.25-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04 Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. # create "rsyslog" user and "Syslog" database ( set any password for 'password' section) MariaDB [(none)]> create database Syslog; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> grant all privileges on Syslog.* to rsyslog@'localhost' identified by 'password'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> exit Bye root@dlp:~# cat /usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql | mysql -u root -D Syslog -p Enter password: |
| [3] | Configure Rsyslog to output logs to database. |
|
root@dlp:~#
vi /etc/rsyslog.conf # line 12: add module(load="ommysql")
root@dlp:~#
vi /etc/rsyslog.d/50-default.conf # for example, output logs for "auth,authpriv.*" # how to wite ⇒ :ommysql:Host,DB,DBUser,DBPassword auth,authpriv.* :ommysql:localhost,Syslog,rsyslog,password
systemctl restart rsyslog
|
| [4] | After configuration of above, some logs of kinds of authentication are recorded on Database like follows. |
|
root@dlp:~# mysql -u rsyslog -D Syslog -p -e "select ReceivedAt,Facility,Priority,FromHost,Message from SystemEvents;" +---------------------+----------+----------+----------+-----------------------------------------------------------------+ | ReceivedAt | Facility | Priority | FromHost | Message | +---------------------+----------+----------+----------+-----------------------------------------------------------------+ | 2016-09-11 15:41:22 | 10 | 6 | dlp | pam_unix(login:session): session closed for user root | | 2016-09-11 15:41:22 | 4 | 6 | dlp | Removed session 7. | | 2016-09-11 15:41:22 | 10 | 6 | dlp | pam_unix(systemd-user:session): session closed for user root | | 2016-09-11 15:41:27 | 10 | 6 | dlp | pam_unix(login:session): session opened for user root by LOGIN | | 2016-09-11 15:41:27 | 10 | 6 | dlp | pam_unix(systemd-user:session): session opened for user root b | | 2016-09-11 15:41:27 | 4 | 6 | dlp | New session 9 of user root. | | 2016-09-11 15:41:27 | 10 | 5 | dlp | ROOT LOGIN on '/dev/ttyS0' | | 2016-09-11 15:41:34 | 4 | 6 | node01 | Removed session 8. | | 2016-09-11 15:41:34 | 10 | 6 | node01 | pam_unix(systemd-user:session): session closed for user root | | 2016-09-11 15:41:40 | 10 | 6 | node01 | pam_unix(login:session): session opened for user root by LOGIN | | 2016-09-11 15:41:40 | 4 | 6 | node01 | New session 10 of user root. | | 2016-09-11 15:41:40 | 10 | 6 | node01 | pam_unix(systemd-user:session): session opened for user root b | | 2016-09-11 15:41:40 | 10 | 5 | node01 | ROOT LOGIN on '/dev/ttyS0' | +---------------------+----------+----------+----------+-----------------------------------------------------------------+ |