# 'corporate' scenario with logs ?

## InsaneHamster

im just wondering if someone could post what main ~main programs are used in industry(or the corporate world) for logging and network administrating a system (currently i am using syslog-ng and i know there are various ones) i am a n00b. and am wondering what easier way there is other then the "sudo cat /var/log/messages" to checking logs for errors and unathorized access ?

i read about the mySQL database but im not that advanced yet. i need to get a good feel first for using the system properly and also simple things as mail programs for reading them and receiving these messages in an inbox.....

thank you

----------

## grimm26

I actually work for a large corporation and I installed a gentoo box in our data center to gather all system logs centrally using syslog-ng.  So yes, you are doing fine by using syslog-ng.  In my design, I do feed the logs from syslog-ng into a MySQL database and use a nice front end called php syslog-ng to make the logs easily searchable.  It works pretty well.

As for monitoring the logs to check for "errors and unauthorized access" I use SEC in my setup.  It is a general purpose tool and was not specifically designed for monitoring *nix system logs, so it takes a while to set up a config file to catch everything.  It's strength is its generality, though, because you can configure it to do just about anything.  It can trigger any program you can point it at to send emails, sms, etc for notifications on events.

You can also look at tenshi, which is a gentoo project.  I haven't used it, but it is designed to look over you rlog files and notify you of stuff.  There are also old standbys like swatch.

Hope that helps.

----------

## InsaneHamster

 *grimm26 wrote:*   

> I actually work for a large corporation and I installed a gentoo box in our data center to gather all system logs centrally using syslog-ng.  So yes, you are doing fine by using syslog-ng.  In my design, I do feed the logs from syslog-ng into a MySQL database and use a nice front end called php syslog-ng to make the logs easily searchable.  It works pretty well.
> 
> As for monitoring the logs to check for "errors and unauthorized access" I use SEC in my setup.  It is a general purpose tool and was not specifically designed for monitoring *nix system logs, so it takes a while to set up a config file to catch everything.  It's strength is its generality, though, because you can configure it to do just about anything.  It can trigger any program you can point it at to send emails, sms, etc for notifications on events.
> 
> You can also look at tenshi, which is a gentoo project.  I haven't used it, but it is designed to look over you rlog files and notify you of stuff.  There are also old standbys like swatch.
> ...

 

thank you responce was most excellent and helpfull in my research. what i did was after noting that syslog-ng works and trying various log watchers i decided they were not what i wanted. i want a GUI based or even server based database for this data. i emerge mysql. and with couple of starting errors was able to have it install 5.0.18 amd64. it runs and i was able to log into it fine. and create a database a table. and very little that i read (first time using it   :Embarassed:  ) so i figured that a 'gui or net' based install / front end is what i need. so i downloaded the php-syslog-ng however the install is complicated as i have never delt with this type of software before.... 

from the site http://www.vermeer.org/docs/1

i had no clue what to do and how to go abouts installing this ... ? Where do the first script files go ? (i know the demon is a /etc/init.d/ service) 

is there an easier way of my learning an approach to running one of these would i require a foundation or knowledge of mysql (currently i have none other then its a database) maybe a recommendation of a program out of the many there are for a n00b which would allow me to log into it and visually see it and maybe use openoffice to edit it ? and something along those lines or a quick run down where and what i would do with these scripts

thank you

```

Synopsis:

This documentation assumes that you have installed and have a working version of syslog-ng version 1.5.x and higher.

This documentation assumes that you have installed and have a working version of mysql database.

What is syslog-ng?

Syslog-ng is the world's most flexible and scalable audit trail processing tool for organizations of any size. It provides

a centralised, securely stored log of all devices on your network, whatever platform they run on. And syslog-ng also incorporates

a host of powerful features, including filtering based on message content, as well as customisable data mining and analysis

capabilities. syslog-ng comes as part of the Zorp product line or can be downloaded ((click here)) as a drop-in replacement

for stock UNIX system logging software.

What is mysql

MySQL is an open source relational database management system (RDBMS) that uses Structured Query Language (SQL),

the most popular language for adding, accessing, and processing data in a database.

Configure syslog-ng to log to mysql database using fifo template:

!

destination d_mysql {

pipe("/tmp/mysql.pipe"

template("INSERT INTO logs (host, facility, priority, level, tag, date,

time, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY', '$LEVEL','$TAG',

'$YEAR-$MONTH-$DAY', '$HOUR:$MIN:$SEC', '$PROGRAM', '$MSG' );\n") template-escape(yes));

};

log { source(net); destination(d_mysql); };

!

Comment out the following line

#source src { unix-dgram("/dev/log"); internal(); };

Uncomment out the following lines

source src { unix-dgram("/etc/log/log"); internal(); };

source net { udp(); };

Create the fifo pipe for syslog-ng to export out logs

mkfifo /tmp/mysql.pipe

Create syslog database

!

CREATE DATABASE syslog

!

USE syslog

!

CREATE TABLE logs (

host varchar(32) default NULL,

facility varchar(10) default NULL,

priority varchar(10) default NULL,

level varchar(10) default NULL,

tag varchar(10) default NULL,

date date default NULL,

time time default NULL,

program varchar(15) default NULL,

msg text,

seq int(10) unsigned NOT NULL auto_increment,

PRIMARY KEY (seq),

KEY host (host),

KEY seq (seq),

KEY program (program),

KEY time (time),

KEY date (date),

KEY priority (priority),

KEY facility (facility)

) TYPE=MyISAM;

!

Create the fifo pipe for syslog-ng to export out logs

mkfifo /tmp/mysql.pipe

Restart syslog-ng process

!

Stop syslog-ng

/etc/init.d/syslog-ng stop

!

Start syslog-ng

/etc/ini.d/syslog-ng start

!

Pipe Insert scripts

# Created by Matthias Buch

#

In the syslog-ng.conf we use:

destination d_oracle {

pipe("/dev/ora.pipe"

template("INSERT INTO logs (LL_HOST, LL_facility, LL_priority, LL_level, LL_tag,

LL_DATE, LL_program, LL_msg) VALUES ( '$HOST', '$FACILILITY', '$PRIORITY',

'$LEVEL', '$TAG',

to_date('$YEAR.$MONTH.$DAY $HOUR:$MIN:$SEC', 'yyyy.mm.dd hh24:mi:ss'),

'$PROGRAM', substr('$MSG',1,511));\n COMMIT;\n") template-escape(yes));

-- import-to-oracle.sh

#to write files to the fifo we have a job import-to-oracle.sh

#!/bin/sh

nohup sqlplus username/password@dbname @/dev/ora.pipe >/dev/null &

-- cronjob

#and to check for running oracle clients

#we have a cronjob running every 5 minutes:

#!/bin/bash

export ORACLE_HOME=/usr/oracle/product/8.1.7

export ORACLE_BASE=/usr/oracle

export PATH=$ORACLE_HOME/bin:$PATH

SQL=`ps ax|grep sqlplus|grep -v grep|wc -l`

if [ $SQL -lt 1 ];then

/opt/bin/import-to-oracle.sh

fi

This script is used to pipe syslog-ng to mysql

#

# Created by Tadghe Patrick Danu

#

 

#!/bin/bash

if [ -e /tmp/mysql.pipe ]; then

while [ -e /tmp/mysql.pipe ]

do

mysql -u theuserid --password=thepassword syslogdb < /tmp/mysql.pipe

done

else

mkfifo /tmp/mysql.pipe

fi

This script is used to pipe syslog-ng to postgreSQL

http://www.umialumni.com/~ben/SYSLOG-DOC.html

#

# Created by Ben Russo

#

#!/bin/bash

#

# run-syslog2pgsql-insert.sh

# 23-April-2002 by Ben Russo

#

# This script makes sure that the syslogs get

# into the database.

# It is designed to be started by CRON periodically.

# I would run it every minute, or at least every

# every few minutes.

#

DATADIR="/spooldir/syslog2pgsql"

WORKDIR="/var/lib/pgsql/syslog"

LOGFILE="$WORKDIR/syslog2pgsql-insert.log"

TZ=UCT

export DATADIR WORKDIR TZ

#

# Here we are going to make sure there isn't

# already an instance of run-syslog2pgsql-insert.sh

# that is running.

#

if [ -f $WORKDIR/.syslog2pgsql-insert.pid ]

then

OLDPID=`cat $WORKDIR/.syslog2pgsql-insert.pid`

NUMPROCS=`ps -e | grep $OLDPID | grep run-syslog2 | wc -l`

if [ $NUMPROCS -gt 0 ]

then

exit 0

fi

fi

#

# If this script has run this far then there should

# not be another instance of run-syslog2pgsql-insert.sh

# running, therefore let's make a PID file and do it.

#

echo $$ > $WORKDIR/.syslog2pgsql-insert.pid

#

# Now start an endless loop that looks for control files.

#

while true

do

DATE=`date`

if [ -f $WORKDIR/.insert-die ]

then

echo "=die===== $DATE $WORKDIR/.insert-die file found, exiting." >> $LOGFILE

exit 0

fi

if [ -f $WORKDIR/.insert-restart ]

then

echo "=restart= $DATE $WORKDIR/.insert-restart file found, exiting." >> $LOGFILE

echo "=restart= $DATE Deleteing .insert-restart file." >> $LOGFILE

echo "=restart= $DATE Expecting cron to restart this script." >> $LOGFILE

fi

if [ -f $WORKDIR/.insert-pause ]

then

echo "=pause=== $DATE $WORKDIR/.insert pause file found." >> $LOGFILE

echo "=pause=== $DATE sleeping 3 secs." >> $LOGFILE

sleep 3

else

FILELIST=`find $DATADIR -name

"fulllog.2[0-9][0-9][0-9].[0-1][0-9].[0-3][0-9].[0-2][0-9].[0-5][0-9].[0-6][0-9]"`

usleep 999997

for i in $FILELIST

do

cat $i | psql -U postgres -d syslog-ng >> $LOGFILE 2>&1

DATE=`date`

echo "========= $DATE finished $i" >> $LOGFILE

rm -f $i

done

fi

done

#

# END OF THE SCRIPT

#

This file is the functions" file distributed with Mandrake systems

# -*-Shell-script-*-

#

# functions This file contains functions to be used by most or all

# shell scripts in the /etc/init.d directory.

#

TEXTDOMAIN=initscripts

TEXTDOMAINDIR=/etc/locale

LOCPATH=/etc/locale

export TEXTDOMAINDIR LOCPATH

# Make sure umask is sane

umask 022

# Set up a default search path.

PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin"

export PATH

[ -z "${CONSOLETYPE:-}" ] && CONSOLETYPE="`/sbin/consoletype`"

# Get a sane screen width

[ -z "${COLUMNS:-}" ] && COLUMNS=80

if [ -f /etc/sysconfig/i18n -a -z "$NOLOCALE" ]; then

. /etc/sysconfig/i18n

if [ "$CONSOLETYPE" != "pty" ]; then

[ "$CONSOLE_NOT_LOCALIZED" = "yes" ] && GP_LANG=C

[ "$CONSOLE_NOT_LOCALIZED" = "yes" ] && GP_LANGUAGE=C

fi

if [ -z "$GP_LANG" ]; then

[ -n "$LC_CTYPE" ] && GP_LANG=$LC_CTYPE || GP_LANG=$LC_MESSAGES

fi

if [ -z "$GP_LANGUAGE" ]; then

[ -n "$LANGUAGE" ] && GP_LANGUAGE=$LANGUAGE || GP_LANGUAGE=$GP_LANG

fi

fi

# Read in our configuration

if [ -z "${BOOTUP:-}" ]; then

if [ -f /etc/sysconfig/init ]; then

. /etc/sysconfig/init

else

# This all seem confusing? Look in /etc/sysconfig/init,

# or in /usr/share/doc/initscripts-*/sysconfig.txt

BOOTUP=color

RES_COL=60

MOVE_TO_COL="echo -en \\033[${RES_COL}G"

SETCOLOR_SUCCESS="echo -en \\033[1;32m"

SETCOLOR_FAILURE="echo -en \\033[1;31m"

SETCOLOR_WARNING="echo -en \\033[1;33m"

SETCOLOR_NORMAL="echo -en \\033[0;39m"

LOGLEVEL=1

fi

if [ "$CONSOLETYPE" = "serial" ]; then

BOOTUP=serial

MOVE_TO_COL=

SETCOLOR_SUCCESS=

SETCOLOR_FAILURE=

SETCOLOR_WARNING=

SETCOLOR_NORMAL=

fi

fi

if [ "${BOOTUP:-}" != "verbose" ]; then

INITLOG_ARGS="-q"

else

INITLOG_ARGS=

fi

gprintf() {

if [ -x /bin/gettext -a -n "$1" ]; then

if [ -n "$GP_LANG" ]; then

local TEXT=`LC_ALL=$GP_LANG LANGUAGE=$GP_LANGUAGE gettext -e --domain=$TEXTDOMAIN "$1"`

else

local TEXT=`gettext -e --domain=$TEXTDOMAIN "$1"`

fi

else

local TEXT=$1

fi

[ "${1#*\\n}" ] || TEXT="$TEXT\n"

shift

printf "$TEXT" "$@"

}

# Frontend to gprintf (support up to 4 %s in format string)

# returns the message transleted in GPRINTF_MSG and

# the resting parms in GPRINTF_REST

# This simplifies a lot the call of functions like action,

# now with i18n support

gprintf_msg_rest() {

case "$1" in

*%s*%s*%s*%s*)

GPRINTF_MSG=$(gprintf "$1" "$2" "$3" "$4" "$5")

shift 5;;

*%s*%s*%s*)

GPRINTF_MSG=$(gprintf "$1" "$2" "$3" "$4")

shift 4;;

*%s*%s*)

GPRINTF_MSG=$(gprintf "$1" "$2" "$3")

shift 3;;

*%s*)

GPRINTF_MSG=$(gprintf "$1" "$2")

shift 2;;

*)

GPRINTF_MSG=$(gprintf "$1")

shift;;

esac

GPRINTF_REST="$@"

}

# Check if $pid (could be plural) are running with

# the same root as this script

inmyroot() {

local i r

for i in $* ; do

[ "/proc/$i/root" -ef "/proc/$$/root" ] && r="$r $i"

done

echo "$r"

}

# Check if $pid (could be plural) are running

checkpid() {

local i

for i in $* ; do

[ -d "/proc/$i" ] && return 0

done

return 1

}

# A function to start a program.

daemon() {

# Test syntax.

local gotbase= force=

local base= user= nice= bg= pid=

nicelevel=0

while [ "$1" != "${1##[-+]}" ]; do

case $1 in

'') gprintf "%s: Usage: daemon [+/-nicelevel] {program}\n" $0

return 1;;

--check)

base=$2

gotbase="yes"

shift 2

;;

--check=?*)

base=${1#--check=}

gotbase="yes"

shift

;;

--user)

user=$2

shift 2

;;

--user=?*)

user=${1#--user=}

shift

;;

--force)

force="force"

shift

;;

[-+][0-9]*)

nice="nice -n $1"

shift

;;

*) gprintf "%s: Usage: daemon [+/-nicelevel] {program}\n" $0

return 1;;

esac

done

# Save basename.

[ -z "$gotbase" ] && base=${1##*/}

# See if it's already running. Look *only* at the pid file.

if [ -f /var/run/${base}.pid ]; then

local line p

read line < /var/run/${base}.pid

for p in $line ; do

[ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p"

done

fi

[ -n "${pid:-}" -a -z "${force:-}" ] && return

# make sure it doesn't core dump anywhere; while this could mask

# problems with the daemon, it also closes some security problems

ulimit -S -c 0 >/dev/null 2>&1

# if they set NICELEVEL in /etc/sysconfig/foo, honor it

[ -n "$NICELEVEL" ] && nice="nice -n $NICELEVEL"

# Echo daemon

[ "${BOOTUP:-}" = "verbose" -a -z "$LSB" ] && echo -n " $base"

# libsafe support

if [ -r /etc/sysconfig/system ] && grep -q '^LIBSAFE=yes$' /etc/sysconfig/system && [ -r /lib/libsafe.so.2 ]; then

LD_PRELOAD=/lib/libsafe.so.2

export LD_PRELOAD

fi

# And start it up.

if [ -z "$user" ]; then

$nice initlog $INITLOG_ARGS -c "$*"

else

$nice initlog $INITLOG_ARGS -c "su -s /bin/bash - $user -c \"$*\""

fi

rc=$?

[ $rc = 0 ] && success "%s startup" $base || failure "%s startup" $base

unset LD_PRELOAD

return $rc

}

# A function to stop a program.

killproc() {

RC=0

# Test syntax.

if [ "$#" -eq 0 ]; then

gprintf "Usage: killproc {program} [signal]\n"

return 1

fi

notset=0

# check for second arg to be kill level

if [ -n "$2" ]; then

killlevel=$2

else

notset=1

killlevel="-9"

fi

# Save basename.

base=${1##*/}

# Find pid.

pid=

if [ -f /var/run/${base}.pid ]; then

local line p

read line < /var/run/${base}.pid

for p in $line ; do

[ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p"

done

fi

if [ -z "$pid" ]; then

pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \

pidof -o $$ -o $PPID -o %PPID -x $base`

fi

# Avoid killing processes not running in the same root

[ -n "$pid" ] && pid="`inmyroot $pid`"

# Kill it.

if [ -n "${pid:-}" ] ; then

[ "$BOOTUP" = "verbose" -a -z "$LSB" ] && echo -n "$base "

if [ "$notset" -eq "1" ] ; then

if checkpid $pid 2>&1; then

# TERM first, then KILL if not dead

kill -TERM $pid

usleep 100000

if checkpid $pid && sleep 1 &&

checkpid $pid && sleep 3 &&

checkpid $pid ; then

kill -KILL $pid

usleep 100000

fi

fi

checkpid $pid

RC=$?

[ "$RC" -eq 0 ] && failure "%s shutdown" $base || success "%s shutdown" $base

RC=$((! $RC))

# use specified level only

else

if checkpid $pid; then

kill $killlevel $pid

RC=$?

[ "$RC" -eq 0 ] && success "%s %s" $base $killlevel || failure "%s %s" $base $killlevel

fi

fi

else

failure "%s shutdown" $base

RC=1

fi

# Remove pid file if any.

if [ "$notset" = "1" ]; then

rm -f /var/run/$base.pid

fi

return $RC

}

# A function to find the pid of a program. Looks *only* at the pidfile

pidfileofproc() {

local base=${1##*/}

# Test syntax.

if [ "$#" -eq 0 ] ; then

gprintf "Usage: pidfileofproc {program}\n"

return 1

fi

# First try "/var/run/*.pid" files

if [ -f /var/run/$base.pid ] ; then

local line p pid=

read line < /var/run/$base.pid

for p in $line ; do

[ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p"

done

if [ -n "$pid" ]; then

echo $pid

return 0

fi

fi

}

# A function to find the pid of a program.

pidofproc() {

base=${1##*/}

# Test syntax.

if [ "$#" -eq 0 ] ; then

gprintf "Usage: pidofproc {program}\n"

return 1

fi

# First try "/var/run/*.pid" files

if [ -f /var/run/$base.pid ]; then

local line p pid=

read line < /var/run/$base.pid

for p in $line ; do

[ -z "${p//[0-9]/}" -a -d /proc/$p ] && pid="$pid $p"

done

if [ -n "$pid" ]; then

echo $pid

return 0

fi

fi

pidof -o $$ -o $PPID -o %PPID -x $1 || \

pidof -o $$ -o $PPID -o %PPID -x $base

}

status() {

local base=${1##*/}

local pid

# Test syntax.

if [ "$#" -eq 0 ] ; then

gprintf "Usage: status {program}\n"

return 1

fi

# First try "pidof"

pid=`pidof -o $$ -o $PPID -o %PPID -x $1 || \

pidof -o $$ -o $PPID -o %PPID -x ${base}`

if [ -n "$pid" ] ; then

gprintf "%s (pid %s) is running...\n" ${base} $pid

return 0

fi

# Next try "/var/run/*.pid" files

if [ -f /var/run/${base}.pid ] ; then

read pid < /var/run/${base}.pid

if [ -n "$pid" ] ; then

gprintf "%s dead but pid file exists\n" ${base}

return 1

fi

fi

# See if /var/lock/subsys/${base} exists

if [ -f /var/lock/subsys/${base} ]; then

gprintf "%s dead but subsys locked\n" ${base}

return 2

fi

gprintf "%s is stopped\n" ${base}

return 3

}

echo_success() {

[ "$BOOTUP" = "color" ] && $MOVE_TO_COL

echo -n "["

[ "$BOOTUP" = "color" ] && $SETCOLOR_SUCCESS

gprintf " OK "

[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL

echo -n "]"

echo -ne "\r"

return 0

}

echo_failure() {

[ "$BOOTUP" = "color" ] && $MOVE_TO_COL

echo -n "["

[ "$BOOTUP" = "color" ] && $SETCOLOR_FAILURE

gprintf "FAILED"

[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL

echo -n "]"

echo -ne "\r"

return 1

}

echo_passed() {

[ "$BOOTUP" = "color" ] && $MOVE_TO_COL

echo -n "["

[ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING

gprintf "PASSED"

[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL

echo -n "]"

echo -ne "\r"

return 1

}

echo_warning() {

[ "$BOOTUP" = "color" ] && $MOVE_TO_COL

echo -n "["

[ "$BOOTUP" = "color" ] && $SETCOLOR_WARNING

gprintf "WARNING"

[ "$BOOTUP" = "color" ] && $SETCOLOR_NORMAL

echo -n "]"

echo -ne "\r"

return 1

}

# Log that something succeeded

success() {

gprintf_msg_rest "$@"

if [ -z "$IN_INITLOG" ]; then

initlog $INITLOG_ARGS -n $0 -s "$GPRINTF_MSG" -e 1

else

# silly hack to avoid EPIPE killing rc.sysinit

trap "" SIGPIPE

echo "$INITLOG_ARGS -n $0 -s \"$GPRINTF_MSG\" -e 1" >&21

trap - SIGPIPE

fi

[ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_success

return 0

}

# Log that something failed

failure() {

rc=$?

gprintf_msg_rest "$@"

if [ -z "$IN_INITLOG" ]; then

initlog $INITLOG_ARGS -n $0 -s "$GPRINTF_MSG" -e 2

else

trap "" SIGPIPE

echo "$INITLOG_ARGS -n $0 -s \"$GPRINTF_MSG\" -e 2" >&21

trap - SIGPIPE

fi

[ "$BOOTUP" != "verbose" -a -z "$LSB" ] && echo_failure

return $rc

}

# Log that something passed, but may have had errors. Useful for fsck

passed() {

rc=$?

gprintf_msg_rest "$@"

if [ -z "$IN_INITLOG" ]; then

initlog $INITLOG_ARGS -n $0 -s "$GPRINTF_MSG" -e 1

else

trap "" SIGPIPE

echo "$INITLOG_ARGS -n $0 -s \"$GPRINTF_MSG\" -e 1" >&21

trap - SIGPIPE

fi

[ "$BOOTUP" != "verbose" ] && echo_passed

return $rc

}

# Run some action. Log its output.

action() {

gprintf_msg_rest "$@"

echo -n "$GPRINTF_MSG "

# libsafe support

if [ -r /etc/sysconfig/system ] && grep -q '^LIBSAFE=yes$' /etc/sysconfig/system && [ -r /lib/libsafe.so.2 ]; then

LD_PRELOAD=/lib/libsafe.so.2

export LD_PRELOAD

fi

initlog $INITLOG_ARGS -c "$GPRINTF_REST" && success "$GPRINTF_MSG" || failure "$GPRINTF_MSG"

rc=$?

echo

unset LD_PRELOAD

return $rc

}

# returns OK if $1 contains $2

strstr() {

#case "$1" in

# *${2}*) return 0 ;;

#esac

#return 1

[ "$1" = "$2" ] && return 0

slice=${1#*$2*}

[ "$slice" = "$1" ] && return 1

return 0

}

# Confirm whether we really want to run this service

confirm() {

gprintf "Start service %s (Y)es/(N)o/(C)ontinue? [Y] \n" $1

local YES=`gprintf "yY"`

local NOT=`gprintf "nN"`

local CNT=`gprintf "cC"`

read answer

if strstr "$YES" "$answer" || [ "$answer" = "" ] ; then

return 0

elif strstr "$CNT" "$answer" ; then

return 2

elif strstr "$NOT" "$answer" ; then

return 1

fi

confirm $*

}

initsplash() {

[[ -f /etc/sysconfig/bootsplash ]] && source /etc/sysconfig/bootsplash

[[ -n $SPLASH ]] && splash_rc=$SPLASH

[[ -n $THEME ]] && theme=$THEME

[[ -x /sbin/splash.sh ]] || splash_rc=no

if [[ -e /proc/splash ]]; then

grep -q off /proc/splash && splash_rc=no

else

splash_rc=no

fi

splash_cfg=/etc/bootsplash/

[[ $splash_rc != "no" && $splash_rc != "No" && $splash_rc != "NO" ]] && export splash_rc=yes

[[ -d $splash_cfg/themes ]] || splash_rc=

if [[ $splash_rc = "yes" && -n $theme ]];then

[[ ! -d $splash_cfg/themes/$theme ]] && theme=Mandrake

function box() { true; } # ignore box descriptions in the config file

tmpval=$LOGO_CONSOLE

if [ -f /etc/bootsplash/themes/$theme/config/bootsplash-`fbresolution`.cfg ]; then

. /etc/bootsplash/themes/$theme/config/bootsplash-`fbresolution`.cfg

fi

if [[ $tmpval != "theme" ]];then

LOGO_CONSOLE=$tmpval

fi

fi

if [[ -z "$1" ]]; then

set `/sbin/runlevel`

runlevel=$2

previous=$1

else

runlevel=5

previous=N

fi

nbservices=0

#

# for small dir, it is faster than echo /etc/rc$runlevel.d/* | wc -w

#

for i in /etc/rc$runlevel.d/*

do

a=$[nbservices++]

done

for i in /etc/rc$runlevel.d/*.rpm*

do

a=$[nbservices--]

done

a=$[nbservices++]

# this is the number of step in rc.sysinit, could be ajusted

[[ "$previous" = "N" ]] && nbservices=$(($nbservices+7)) && progress=6

export nbservices res progress text_x text_y text_color text_size splash_rc LOGO_CONSOLE

}

rc_splash() {

[[ "$splash_rc" = "yes" ]] || return

if [[ -n "$2" ]]; then

progress=$2

else

a=$[progress++]

fi

LANGUAGE=$LANGUAGE /sbin/splash.sh "$1"

}

#!/bin/bash

#

# sqlsyslogd This is a daemon that takes syslog-ng input and pipe it into

# a MySQL database.

#

# chkconfig: 2345 92 10

# description: sqlsyslogd bridges syslog-ng and mysql.

# author: Josh Kuo Thu 2004/08/12 13:21:56 PDT

. /etc/rc.d/init.d/functions

case "$1" in

start)

if [ -x /tmp/mysql.pipe ]; then

mkfifo /tmp/mysql.pipe

else

# if the service is already running, do not start another one

PIDS=`pidofproc mysql`

if [ "$PIDS" ]; then

gprintf "sqlsyslogd is already running.\n"

exit 1

fi

mysql -u DBUSERNAME --password=PASSWORD DBNAME < /tmp/mysql.pipe &

fi

;;

stop )

killproc mysql

;;

*)

gprintf "Usage: sqlsyslogd {start|stop}\n"

exit 1;

esac

exit 0;

```

----------

## InsaneHamster

im going to keep trying at it but currently i am only able to log in as "root" it wont accept admin or guest account ?

i do not know which files to change which are related other then what it states in the 'gentoo mysql starting guide'

and i tried to type in the script to start it would give me errors in mysql when logged in

i emerged mysql-administrator and mysql-query-browser as the front end..... i can log in fine ?

----------

## think4urs11

http://gentoo-wiki.com/HOWTO_setup_PHP-Syslog-NG

----------

## Maedhros

Moved from Installing Gentoo to Networking & Security.

----------

## grimm26

To ease your administration of mysql, you might also want to install phpmyadmin, a web front end to mysql.  I haven'y looked at that wiki, but here are my init scripts for this implementation:

syslog2mysql (the feeder into mysql that syslog-ng d_mysql destination feeds into):

```

#!/sbin/runscript

# Copyright 1999-2005 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

depend() {

        need mysql

        provide mysqlpipe

}

start () {

        ebegin "Starting mysql syslogfeeder pipe."

        if [ ! -e /var/log/mysql.pipe ]

        then

                mkfifo /var/log/mysql.pipe

        fi

        start-stop-daemon --start --background --exec "/etc/syslog-ng/syslog2mysql.sh"  

        eend $?

}

stop () {

        ebegin "Killing mysql pipe."

        if [ `pgrep -f syslogfeeder` ]; then

          start-stop-daemon --stop --pidfile /var/run/mysqlpipe.pid

        else

          :

        fi

        eend $?

}

```

Then in the syslog-ng init script, add mysqlpipe as a 'need' in the depend function:

```

depend() {

        # Make networking dependency conditional on configuration

        case $(sed 's/#.*//' /etc/syslog-ng/syslog-ng.conf) in

                *source*tcp*|*source*udp*|*destination*tcp*|*destination*udp*)

                        need net ;;

        esac

        need clock hostname mysqlpipe

        provide logger

}

```

----------

## InsaneHamster

 *grimm26 wrote:*   

> To ease your administration of mysql, you might also want to install phpmyadmin, a web front end to mysql.  I haven'y looked at that wiki, but here are my init scripts for this implementation:
> 
> syslog2mysql (the feeder into mysql that syslog-ng d_mysql destination feeds into):

 

i would personally like to thank you for taking the time and helping me out and anyone also who has...... i 'tip my hat to you' for the work you all accomplish.

this is my first time ever dealing with something like this(until ~yesterday i always ran my system as r00t   :Embarassed:  with no security just extreme focus on perfect hardware configuration and desktop basics(gaming linux n00b who loves fluxbox as his main everyday WM and GUI (personally i cant work with anything else must be the skitzo)  ) )

so anyways ok so i was messing around with it some more. im at the point where im using the following 'configurations' 

 :Surprised:  (i understand it is bleeding edge~ i assume and hope it is because this entire experience has given me such a rush of satesfaction games and a desktop system have not   :Shocked:  )

```

pengu64@localhost /etc $ sudo /etc/init.d/apache2 restart

 * Caching service dependencies ...                                                                        [ ok ]

 * Stopping apache2 ...                                                                                          [ ok ]

 * Starting mysql syslogfeeder pipe. ...                                                                   [ !! ]

 * Starting apache2 ...                                                                                           [ ok ]

pengu64@localhost /etc $ 

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-www/apache-2.0.55  USE="apache2 ssl threads -debug -doc -ldap -mpm-leader -mpm-peruser -mpm-prefork -mpm-threadpool -mpm-worker -no-suexec -static-modules" 0 kB 

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] dev-lang/php-5.1.1  USE="apache2 berkdb* bzip2 cgi crypt exif gd gdbm gmp ipv6 java-external mhash mysql ncurses nls pcre pic readline snmp spell ssl threads truetype xml xmlreader xmlrpc xpm xsl zlib -apache -bcmath -calendar -cdb -cjk -cli -ctype -curl -curlwrappers -db2 -dba* -dbase -debug -discard-path -doc -fastbuild -flatfile -force-cgi-redirect -ftp -gd-external -hardenedphp -hyperwave-api -iconv -imap -inifile -interbase -iodbc -kerberos -ldap -libedit -mcve -memlimit -ming -msql -mssql -mysqli -oci8 -odbc -pcntl -pdo -pdo-external -pear -posix -postgres -qdbm -recode -sapdb -sasl -session* -sharedext -sharedmem -simplexml -soap -sockets -spl -sqlite -sysvipc -tidy -tokenizer -vm-goto -vm-switch -wddx -yaz -zip" 0 kB 

Total size of downloads: 0 kb

```

 *Quote:*   

> and when i log into the  *Quote:*    http://localhost/  with apache main site that it works
> 
>  *Quote:*    http://localhost/php-syslog-ng/index.php?pageId=login  it comes up perfect as a website   

 

below is what it says on the main page   :Question: 

```

Warning: mysql_pconnect() [function.mysql-pconnect]: Access denied for user 'sysloguser'@'localhost' (using password: YES) in /usr/htdocs/php-syslog-ng/includes/common_funcs.php on line 193

php-syslog-ng

Network Syslog Monitor    Wednesday January 18th, 2006 - 10:33:59

Your IP: 127.0.0.1

LoginHelpAbout  

A database connection problem was encountered.

Please check config/config.php to make sure everything is correct and make sure the MySQL server is up and running.

```

so i can connect. with amazingly self linkage to the page from just a directory   :Confused:  amazing i never had to configure this.....   :Shocked: 

```
http://localhost/php-syslog-ng/index.php?pageId=login
```

however at this point i am having problems with the following things. for one i have various apache "main directories and do know know which it is using lol which is recent and what not" /usr/htdocs or /var/www/localhost/htdocs  or /usr/lib64/apache2 ( i changed so many httpd.conf and config files i can updatedb and 'locate' 5 different ones in the system)

i follow the http://gentoo-wiki.com/Index:Apache2 ~ but the others are still there for main files and configuration

i do not know WHICH exact configuration dir or file to use (i made the mistake of first screwing with apache1 which i could also log into but no php support (this was dev-php/php-4 and mod_php i think)  that is why i moved to apache2 with php5(dev-lang/php)  which works flawlessly ? i assume im a n00b   :Razz:  ) so from this point of view the mysql configuration needs tweaking and certain files which are all over the place im gona have to do a updatedb and find all the random sql crap from various installs (however i do not know what to look for) 

(i used like 4-5 different wiki documents and documents on setting it up so its all TWACKED but i assume the newest one works best)

plus i have like 5 database's cause i was testing out how they work and reading on basic applications and how it runs. (couldnt delete some ?)

i have no clue how to solve my mysql problem (5.0.18 ) this problem stems from rougly 5-6 different "login" accounts with various privillages i have no clue which is what and where aka root admin user which have what password which file changes it (theres like 5 different ones i changed with all different passwords im at this point offically lost other then being able to log into mysql CLI with  what i assume is root(sudo mysql via my user account pengu64) )  :Embarassed: 

i changed my hostname to localhost and domain name to www.test.net and such because i had problems at the start and was getting confuzled with my amd64 gentoo hostnames /etc/host file n such and apache1 had problems

(apache2 is now running  :Cool:  i got rid of apache1......... just some background history incase it helps   :Embarassed:  i cant stand such sloppy disrespectfull work but i love what i learn from it for the future from it  :Razz:  and the fact that this for no reason random project gave me a feeling of accomplishment

 is amazing i thank you all)

so my dumbed down to the point random questions would be

a)how do i redo and clear my entire mysql database to start all over with syslog using what i assume is the wiki which was posted (proper documentation to use)

b)clear all accounts and a good documentation and practice on how to run and setup a database professionally(a book, internet site, some sort of mirc channel, this is too interesting structure of storage of data to learn about, just incredible acctually so now when my teacher told me back then you will one day need math i would shake his hand now....)

c)Init scripts will all have to be redone. cause there like randomly all over hte place i didnt know where to put them what to run them as

d) some dirs were root chmod 777 out of trial and error to allow access to the dir when offically initially the switch from apache1 to apache2 was made because of not understand which dir was being used. what kind of security threat is this ? and such on random directorys through out my computer (not random but well 3-4 different online documentations directories where used and changed not main ones i hope but just ones which are apache php and store executable scripst for php)

d)when i log into mysql-administrator with a server name of localhost and i go to 'user administrator' it automatically kills the process with 

```
pengu64@localhost ~ $ sudo mysql-administrator

/usr/bin/mysql-administrator: line 18: 24775 Segmentation fault      $PRG-bin

```

and same thing if i go to "startup parametors" it gives me 5 options and if i click cancel it exists with

```

pengu64@localhost ~ $ sudo mysql-administrator

** (mysql-administrator-bin:24813): CRITICAL **: void MGFileBrowserList::get_row_object(const Gtk::TreeIter&, std::string&): assertion `iter' failed

Warning: The option character-set-server is not known. Please file a bug report if this is a valid option.

Warning: The option skip-locking is not known. Please file a bug report if this is a valid option.

*** glibc detected *** free(): invalid pointer: 0x0000000000f58ac5 ***

/usr/bin/mysql-administrator: line 18: 24813 Aborted                 $PRG-bin

```

and if it doesnt exist it allows me to edited some of those while starting out first and there not close to adiquate in being correct form.

```

pengu64@localhost ~ $ sudo sh ./syslog_mysql.sh

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

ERROR 1045 (28000): Access denied for user 'syslogadmin'@'localhost' (using password: NO)

```

ok i can wrap my head aroudn the fact that i need to change a file and database for the 'syslogadmin'@'localhost' problem. however at this point and all iv tested and been through im lost. dont know which one to do properly and wouldnt want to change different various versions which are not correct which might lead to a bad habbit or just plain trial and error.

ill stop there for now i releaize i am going to have to learn to do this my self. however ask for some more assitance in the aspect of what direction i should take to not have sloppy work.

thank you very much\

EDIT: going to try phpadmin right now   :Cool:  it works. however it will not allow me to log in. and now i am unable to sudo into the mysql at all from my user account says 

```

pengu64@localhost /var/www/localhost $ sudo mysql

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)

pengu64@localhost /var/www/localhost $ users

pengu64 pengu64 pengu64 pengu64 pengu64 pengu64 pengu64 pengu64 pengu64 pengu64 pengu64 pengu64

```

----------

## InsaneHamster

i have went back to the basics and figured out that syslog-ng was not correctly configured. 

my problems lies within that in th dabase .....

for now i gota figure out what that is and how that works. from there i must rechange some init.d files and such. there is so much to go over 

 *Quote:*   

> 
> 
> # grant rights to user syslogadmin for backup purpose
> 
> REVOKE ALL PRIVILEGES ON syslog.* FROM syslogadmin@localhost;
> ...

 

EDIT:

i am able to log in now however i get the follow message still working on it ...

```

Query failed: Table 'syslog.users' doesn't exist

```

----------

## InsaneHamster

its coming along one by one.... i now know syslog-ng is good other then that 

```
Query failed: Table 'syslog.users' doesn't exist
```

 error. so i decided it was database time. i added database like mysql and snort groups to my user account and root ? i dont know if i should ... but to help things first time around i figured i didnt wana deal with it. now i can successfully log into and out of hte sql database i guess i just have to redo all the dabases and users allowed to use them then for the syslog.users problem then for the phpmyadmin (not knowing password to log in problem) its coming.... (snort has a php interface too i decided on the test to test it. it came close almost)

 *Quote:*   

> 
> 
> localhost init.d # /etc/init.d/syslog-ng restart
> 
>  * Caching service dependencies ...                                       [ ok ]
> ...

 

 *Quote:*   

> 
> 
> Password for user  to connect to MySQL: 
> 
> ######################################################################
> ...

 

----------

## InsaneHamster

uhmm i did something with my group file which disallows me to log into X as a user or it failes ?

```
  GNU nano 1.3.10          File: /etc/group                          

root:x:0:root

bin:x:1:root,bin,daemon

daemon:x:2:root,bin,daemon

sys:x:3:root,bin,adm

adm:x:4:root,adm,daemon

tty:x:5:

disk:x:6:root,adm

lp:x:7:lp

mem:x:8:

kmem:x:9:

wheel:x:10:root,pengu64

floppy:x:11:root,pengu64

mail:x:12:mail

news:x:13:news

uucp:x:14:uucp

man:x:15:man

cron:x:16:cron

console:x:17:

audio:x:18:pengu64

cdrom:x:19:pengu64

dialout:x:20:root

ftp:x:21:

sshd:x:22:

at:x:25:at

tape:x:26:root

video:x:27:root,pengu64

squid:x:31:squid

gdm:x:32:gdm

xfs:x:33:xfs

games:x:35:pengu64

named:x:40:named

mysql:x:60:root

postgres:x:70:

cdrw:x:80:

nut:x:84:

usb:x:85:

vpopmail:x:89:

users:x:100:games,mysql

nofiles:x:200:

qmail:x:201:

postfix:x:207:

postdrop:x:208:

smmsp:x:209:smmsp

portage:x:250:portage

utmp:x:406:

nogroup:x:65533:

nobody:x:65534:

locate:x:245:

rpc:x:111:

plugdev:x:407:

scanner:x:408:

[quote]

personally i think it was here it was either this

messagebus:x:409::x:1000:

or

messagebus:x:409:

:x:1000:

or even something else

x:1000:

or

syslog:x:1000:

??????????

[/quote]

tenshi:x:1001:

apache:x:81:

snort:x:1002:root

```

----------

## kamikaze04

Mmmm..i gave a try to phpyslogng and i really like it. But i found a thing that i don't like:

With phpsyslogng i can see all the logs generated with syslog-ng, but i would really like to see my apache logs, which don't use syslog to log in /var/log. So, is there any way to do that ?

The same happens if i want to check qmail, mysql logs  :Sad: 

Any clue?

----------

## InsaneHamster

 *kamikaze04 wrote:*   

> Mmmm..i gave a try to phpyslogng and i really like it. But i found a thing that i don't like:
> 
> With phpsyslogng i can see all the logs generated with syslog-ng, but i would really like to see my apache logs, which don't use syslog to log in /var/log. So, is there any way to do that ?
> 
> The same happens if i want to check qmail, mysql logs 
> ...

 

lol no clue personally unless there is a way to point apache to log to /var/log ?[/bug]

im reinstalling my system from scratch so i can do a better job this time   :Cool: 

being sloppy and editing /etc/group file was dumb ill stick with gpasswd from now on

----------

## kamikaze04

I did some research.

As it seems, it is possible to make syslog-ng log apache instead of its own system of logging (rom apache)

Look at:

http://deb.riseup.net/logging/apache/

http://deb.riseup.net/logging/config/

But i wasn't able to make it work.

I have to do it because it could be very useful to watch apache logs also with phpsyslogng

----------

## kamikaze04

Yeah, it is possible to do it. My syslog-ng.conf and my httpd.conf

```

filter f_apache { program("apache");};

log {   source(src);filter(f_apache);

        destination(d_apache);destination(syslog);destination(d_mysql);

        flags(final);

};

```

where destinations are:

```

destination d_mysql { pipe("/var/log/mysql.pipe" template("INSERT INTO logs (ho$

destination d_apache { file("/var/log/apache2/error_log"); };

```

also,the httpd should look like this:

```

ErrorLog syslog-ng

```

Now i can use phpsyslogng to look at my error_log of apache

----------

## grimm26

OK, I haven't read through all of your posts now but you should probably back down on the version of stuff you are using and stick to the stable versions.  You don't need to be running PHP5 and you don't need to be running MySQL 5.  Are you running ~x86 for everything?  Generally a bad idea for a n00b (or anyone IMHO).  I think you are trying to do way too much at once.  You'll be tripping over software problems as well as your own misconfigurations if you try to walk thr bleeding edge without getting it all working on stable versions first.

----------

## InsaneHamster

 *grimm26 wrote:*   

> OK, I haven't read through all of your posts now but you should probably back down on the version of stuff you are using and stick to the stable versions.  You don't need to be running PHP5 and you don't need to be running MySQL 5.  Are you running ~x86 for everything?  Generally a bad idea for a n00b (or anyone IMHO).  I think you are trying to do way too much at once.  You'll be tripping over software problems as well as your own misconfigurations if you try to walk thr bleeding edge without getting it all working on stable versions first.

 

this previous configuration i was running php5 and mysql5  (it was all bleeding edge ~amd64 2005.1 profile)

it worked fine   :Very Happy:  i got lost in the middle with all the different versions i tried and documentation i was reading as it wasnt how would i put this unified(?) all the various doc's had me changing all sorts of different files in different locations which caused this confussion

anyways right now im starting an entirely new system using a user account to hopefully have it secure..... once again i am going ~amd64 (which is x86_64 same as last time) i wana use bleeding edge because i wana know the newest version no point in learning something old right ?

i think i can handle the software problems (~hopefully i have high hopes) and the configuration im going to try to do again this time properly one thing at a time right from the begging. 

i should be ready to go.... give or take its 50 minuets away from finishing stage 1 'emerge -e system' so prolly around 1-2 am i will again be good to go as far as system up and running securely before starting to install the server

i managed to catch a nap during the scripts/bootstrap and system.... so im good to go again   :Laughing: 

and if it fails horribly terribly as far as software side goes ill go to Stable for the server and try it that way...but im hoping no software problems will arrive cause last time they didnt other then the admin program

just wanted to add that my system usually runs in the ~60 processors range and when i had the server with with mysql apache php5 and syslog/admin and all that good stuff + snort and such it was upto 130 processors in fluxbox and running smooth.... no problems   :Surprised:  oh and i was able to log into myphpadmin alsoLast edited by InsaneHamster on Mon Jan 16, 2006 12:13 am; edited 2 times in total

----------

## InsaneHamster

 *kamikaze04 wrote:*   

> I did some research.
> 
> As it seems, it is possible to make syslog-ng log apache instead of its own system of logging (rom apache)
> 
> Look at:
> ...

 

does this work for u perfectly ? 

so does that mean that the syslog-ng mysql database can now do everything from all my system logs to apache logs iptables snort and any secreity pretty much needed   :Shocked: 

----------

## kamikaze04

Yeah, now i've got it working for apache, as i said here.

Before this, i got it working also for iptables (just with "match" pattern is enough)

----------

## InsaneHamster

 *kamikaze04 wrote:*   

> Yeah, now i've got it working for apache, as i said here.
> 
> Before this, i got it working also for iptables (just with "match" pattern is enough)

 

my system is fully reinstalled and i got mysql up again 5.0.18 

prolly within a couple of hours ill get to apache and trying iptables and also the apache logs with it....  :Razz: 

----------

