Reliable Logging Enhancements in RHEL6
Transcript of Reliable Logging Enhancements in RHEL6
-
8/10/2019 Reliable Logging Enhancements in RHEL6
1/14
-
8/10/2019 Reliable Logging Enhancements in RHEL6
2/14
Red Hat Enterprise Linux 62
Logging, why should you care?
Troubleshooting
Compliance (PCI, S!, HIPP", etc#
Securit$
"uditing
%ecause m$ Red Hat Solutions "rchitect & said so
-
8/10/2019 Reliable Logging Enhancements in RHEL6
3/14
Red Hat Enterprise Linux 63
Rsyslog
Introduced as optional drop'in replacement ors$s)logd in RHEL*+
-eault s$slog daemon in RHEL6 (.ersion /+x#
-esigned to be a modern replacement to s$s)logdadding eatures 0 capabilities
-
8/10/2019 Reliable Logging Enhancements in RHEL6
4/14Red Hat Enterprise Linux 64
Rsyslog Features
Rs$slog 1eatures
2ulti'threaded s$slog daemon
TCP, SSL, TLS, RELP
2$S3L, PostgreS3L
IS 465 timestamp support (millisecond granularit$ andtime7one inormation#
n'dis) 8ueuing
Componenti7ed design (load onl$ the modules $ou need#
1ilter an$ part o s$slog message
1ull$ conigurable output ormat
-
8/10/2019 Reliable Logging Enhancements in RHEL6
5/14Red Hat Enterprise Linux 65
RELP
Reliable E.ent Logging Protocol
9ot :ust or s$slog
Similar in purpose to "23P ("d.anced 2essage 3ueuingProtocol# ' line'le.el protocol
-esigned to address deiciencies o TCP, mainl$ that TCPpro.ides reliabilit$ at the connection le.el+ RELP pro.idesreliabilit$ at the application le.el+ RELP usage implies TCP usage+
Pro.ided .ia the rs$slog'relp pac)age+
-
8/10/2019 Reliable Logging Enhancements in RHEL6
6/14Red Hat Enterprise Linux 66
Security
;9
-
8/10/2019 Reliable Logging Enhancements in RHEL6
7/14Red Hat Enterprise Linux 6/
What about?
RHEL* (rs$slog .=# ' 9o RELP, deplo$ >ith TCPand Stunnel
RHEL=?RHEL/ ' 9o RELP, no TCP, deplo$ >ith
-
8/10/2019 Reliable Logging Enhancements in RHEL6
8/14Red Hat Enterprise Linux 60
Security & Reporting
Log to a database (2$S3L, Postgres#
9ati.e S tools (grep?a>)?sed#
Log>atch
=rd part$ tools
1Australian !re"1
nternal Securit ncident ana!e%ent tool
S$slog Rela$ Chains (eed other s$slog ser.ers >ith $our data#
-
8/10/2019 Reliable Logging Enhancements in RHEL6
9/14Red Hat Enterprise Linux 6
Best Practices
Consider deplo$ing s$slog ser.er on RHEL6
-eplo$ >ith SSL 0 RELP >here possible+
3ueue >here possible (separate log deli.er$ rom databaseinsertion#
Consider logging to a database (or reporting#
-
8/10/2019 Reliable Logging Enhancements in RHEL6
10/14
Red Hat Enterprise Linux 6
So lets build
Bust t>o lines in ?etc?rs$slog+con on the Ser.er+
$ModLoad imrelp.so #Load the RELP Input Module
$InputRELPServerRun 60001
Bust t>o lines in ?etc?rs$slog+con on the Client
$ModLoad omrelp.so #Load the RELP Output Module
*.*omrelp1.!.".60001RS%SLO&'(or)ard(ormat
-
8/10/2019 Reliable Logging Enhancements in RHEL6
11/14
Red Hat Enterprise Linux 6
!nd now lets integrate
"pache
ustomLo+ ,-usr/inlo++er p loal2.in3o t 45pahe4,om/ined
ErrorLo+ ,-usr/inlo++er p loal2.in3o t 45pahe4,
Iptables
ipta/les 5 IP78 9 LO& lo+pre3i: ,3ire)all;E% ,lo+level de/u+
-
8/10/2019 Reliable Logging Enhancements in RHEL6
12/14
Red Hat Enterprise Linux 62
!nd now lets integrate "contd#
Rs$slog supports expression based iltering o log messages
Example
i3 $ms+ starts)ith 43ire)all;E%4 thenvarlo+ipta/les.lo+
Example
i3 $ms+ ontains 45pahe4 then varlo+apahe.lo+
Expressions gi.e the abilit$ to adapt to business re8uirements
-
8/10/2019 Reliable Logging Enhancements in RHEL6
13/14
Red Hat Enterprise Linux 63
Re$erences
RELP ' http??>>>+librelp+com?relp+html
Rs$slog ' http??>>>+rs$slog+com?
Log "nal$7er ' http??loganal$7er+adiscon+com?
Red Hat Customer Portal http??access+redhat+com
http://www.rsyslog.com/http://loganalyzer.adiscon.com/http://loganalyzer.adiscon.com/http://www.rsyslog.com/ -
8/10/2019 Reliable Logging Enhancements in RHEL6
14/14