Transport iptables log file to log server   2019-08-15


Objective

Setting iptables log function in log client,and transport log file to log server.
Deploy LogAnalyzer on log server.

System environment

All System use CentOS 7.6

  1. R1(Network Adapter *2)
  2. log server (in LAN)

Build iptables rules and rsyslog in R1

1
2
3
4
5
iptables -A INPUT -i $LAN_INTERFACE -j LOG --log-prefix "INPUT ICMPv4:" --log-level notice
iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT TCP:" --log-level notice
iptables -A INPUT -p udp -j LOG --log-prefix "INPUT UDP:" --log-level notice
iptables -t nat -A POSTROUTING -o ens33 -J LOG --log-level notice --log-prefix "NAT Packet:"
iptables -t nat -A POSTROUTING -o ens33 -J MASQUERADE

Save log file in /var/log/iptables.log
edit /etc/rsyslog.conf

1
*.* @192.168.0.1:514  //log server ip or FQDN and be a log client

enable ipv4.ip_forward in sysctl.conf

1
net.ipv4.ip_forward = 1

Build rsyslog in log server

edit /etc/rsyslog.conf

1
2
3
4
5
6
7
8
9
#uncommend these lines
$ModLoad imudp
$UDPServerRun 514

#add these line to allow log client
$AllowedSender UDP,192.168.0.0/24
kern.=notice /var/log/iptables.log  #Save log in file

*.info;*.!notice;mail.none;authpriv.none;cron.none;

Deploy LogAnalyzer in log server

Install apache2 and php
(In this project,php version is 7.3,and defalut version in CentOS 7 is 5.4)

1
yum install httpd php

Recommand:Reboot the computer after finishing install or LogAnalyzer will not install successfully.

Download LogAnalyzer from official website and extract it

1
2
wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.7.tar.gz
tar -zxvf loganalyzer-4.1.7.tar.gz

To show report-images in LogAnalyzer,need to install GD module.

1
2
yum install gd gd-devel php-gd
systemctl restart httpd

Browse $YOUR_SERVER_IP/loganalyzer/src/install.php to install LogAnalyzer.

Use MariaDB(MySQL) to store log files , and use phpMyAdmin to manage.

Install MariaDB and configure

1
2
3
4
yum install epel-release
yum install mariadb-server php-mysql rsyslog-mysql
mysql_secure_installation
mysql -u root -p  #Login

In this project , phpMyAdmin version is 4.9 , php version need 5.5 or later.
Download phpMyAdmin setup file from official website , and extract to /var/www , browse $SERVER_IP/phpmyadmin/setup to set configuration.

1
2
3
mysql -u root -p logdb </usr/share/doc/rsyslog/mysql-createDB.sql #create database
mv config.php config.php.backup   #re-configure
touch config.php

Edit rsyslog.conf

1
2
3
4
#load ommysql module
$ModLoad ommysql
#:ommysql:資料庫IP,資料庫名,使用者名稱,密碼
kern.=notice :ommysql:localhost,logdb,$dbuser,$dbpassword

Screenshot



Reference

自行架設LogAnalyzer日誌管理伺服器
LogAnalyzer日誌分析工具安裝設定詳解
CentOS Linux 7 安裝 MySQL/MariaDB 資料庫教學
rsyslog+mysql+loganalyzer記錄系統log至資料庫並由web介面呈現

目錄

  1. Objective
  2. System environment
  3. Build iptables rules and rsyslog in R1
  4. Build rsyslog in log server
  5. Deploy LogAnalyzer in log server
  6. Use MariaDB(MySQL) to store log files , and use phpMyAdmin to manage.
  7. Screenshot
  8. Reference