Ubuntu 16.04
Sponsored Link

Rsyslog : Output Logs to Database
2016/09/12
 
Configure Rsyslog to output logs to Database.
[1]
It's possible to select a database from some mainly used products in the world, this example shows to configure with MariaDB, so Install and start MariaDB server, refer to here.
[2] Create a user and Database for Rsyslog.
root@dlp:~#
apt-get -y install rsyslog-mysql
root@dlp:~#
mysql -u root -p

Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 43
Server version: 10.0.25-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# create "rsyslog" user and "Syslog" database ( set any password for 'password' section)

MariaDB [(none)]>
create database Syslog;

Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]>
grant all privileges on Syslog.* to rsyslog@'localhost' identified by 'password';

Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]>
flush privileges;

Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]>
exit

Bye
root@dlp:~#
cat /usr/share/dbconfig-common/data/rsyslog-mysql/install/mysql | mysql -u root -D Syslog -p

Enter password:
[3] Configure Rsyslog to output logs to database.
root@dlp:~#
vi /etc/rsyslog.conf
# line 12: add

module(load="ommysql")
root@dlp:~#
vi /etc/rsyslog.d/50-default.conf
# for example, output logs for "auth,authpriv.*"

# how to wite ⇒ :ommysql:Host,DB,DBUser,DBPassword

auth,authpriv.*    
:ommysql:localhost,Syslog,rsyslog,password
root@dlp:~#
systemctl restart rsyslog
[4] After configuration of above, some logs of kinds of authentication are recorded on Database like follows.
root@dlp:~#
mysql -u rsyslog -D Syslog -p -e "select ReceivedAt,Facility,Priority,FromHost,Message from SystemEvents;"

+---------------------+----------+----------+----------+-----------------------------------------------------------------+
| ReceivedAt          | Facility | Priority | FromHost | Message                                                         |
+---------------------+----------+----------+----------+-----------------------------------------------------------------+
| 2016-09-11 15:41:22 |       10 |        6 | dlp      |  pam_unix(login:session): session closed for user root          |
| 2016-09-11 15:41:22 |        4 |        6 | dlp      |  Removed session 7.                                             |
| 2016-09-11 15:41:22 |       10 |        6 | dlp      |  pam_unix(systemd-user:session): session closed for user root   |
| 2016-09-11 15:41:27 |       10 |        6 | dlp      |  pam_unix(login:session): session opened for user root by LOGIN |
| 2016-09-11 15:41:27 |       10 |        6 | dlp      |  pam_unix(systemd-user:session): session opened for user root b |
| 2016-09-11 15:41:27 |        4 |        6 | dlp      |  New session 9 of user root.                                    |
| 2016-09-11 15:41:27 |       10 |        5 | dlp      |  ROOT LOGIN  on '/dev/ttyS0'                                    |
| 2016-09-11 15:41:34 |        4 |        6 | node01   |  Removed session 8.                                             |
| 2016-09-11 15:41:34 |       10 |        6 | node01   |  pam_unix(systemd-user:session): session closed for user root   |
| 2016-09-11 15:41:40 |       10 |        6 | node01   |  pam_unix(login:session): session opened for user root by LOGIN |
| 2016-09-11 15:41:40 |        4 |        6 | node01   |  New session 10 of user root.                                   |
| 2016-09-11 15:41:40 |       10 |        6 | node01   |  pam_unix(systemd-user:session): session opened for user root b |
| 2016-09-11 15:41:40 |       10 |        5 | node01   |  ROOT LOGIN  on '/dev/ttyS0'                                    |
+---------------------+----------+----------+----------+-----------------------------------------------------------------+
 
Tweet