Transport iptables log file to log server

Transport iptables log file to log server === Objective - Setting iptables log function in log client,and transport log file to log server. Deploy LogAnalyzer on log server. System environment - All System use CentOS 7.6 1. R1(Network Adapter *2) 2. log server (in LAN) Build iptables rules and rsyslog in R1 - ``` iptables -A INPUT -i $LAN_INTERFACE -j LOG --log-prefix "INPUT ICMPv4:" --log-level notice iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT TCP:" --log-level notice iptables -A INPUT -p udp -j LOG --log-prefix "INPUT UDP:" --log-level notice iptables -t nat -A POSTROUTING -o ens33 -J LOG --log-level notice --log-prefix "NAT Packet:" iptables -t nat -A POSTROUTING -o ens33 -J MASQUERADE ``` Save log file in /var/log/iptables.log edit /etc/rsyslog.conf ``` *.* @192.168.0.1:514 //log server ip or FQDN and be a log client ``` enable ipv4.ip_forward in sysctl.conf ``` net.ipv4.ip_forward = 1 ``` Build rsyslog in log server - edit /etc/rsyslog.conf ``` #uncommend these lines $ModLoad imudp $UDPServerRun 514 #add these line to allow log client $AllowedSender UDP,192.168.0.0/24 kern.=notice /var/log/iptables.log #Save log in file *.info;*.!notice;mail.none;authpriv.none;cron.none; ``` Deploy LogAnalyzer in log server - Install apache2 and php (In this project,php version is 7.3,and defalut version in CentOS 7 is 5.4) ``` yum install httpd php ``` Recommand：Reboot the computer after finishing install or LogAnalyzer will not install successfully. Download LogAnalyzer from official website and extract it ``` wget http://download.adiscon.com/loganalyzer/loganalyzer-4.1.7.tar.gz tar -zxvf loganalyzer-4.1.7.tar.gz ``` To show report-images in LogAnalyzer,need to install GD module. ``` yum install gd gd-devel php-gd systemctl restart httpd ``` Browse $YOUR_SERVER_IP/loganalyzer/src/install.php to install LogAnalyzer. Use MariaDB(MySQL) to store log files , and use phpMyAdmin to manage. - Install MariaDB and configure ``` yum install epel-release yum install mariadb-server php-mysql rsyslog-mysql mysql_secure_installation mysql -u root -p #Login ``` In this project , phpMyAdmin version is 4.9 , php version need 5.5 or later. Download phpMyAdmin setup file from official website , and extract to /var/www , browse $SERVER_IP/phpmyadmin/setup to set configuration. ``` mysql -u root -p logdb </usr/share/doc/rsyslog/mysql-createDB.sql #create database mv config.php config.php.backup #re-configure touch config.php ``` Edit rsyslog.conf ``` #load ommysql module $ModLoad ommysql #:ommysql:資料庫IP,資料庫名,使用者名稱,密碼 kern.=notice :ommysql:localhost,logdb,$dbuser,$dbpassword ``` Screenshot - ![](https://i.imgur.com/30yGy6y.png) ![](https://i.imgur.com/Cmerkeh.png) ![](https://i.imgur.com/fzN7pEO.png) Reference - [自行架設LogAnalyzer日誌管理伺服器](https://www.netadmin.com.tw/netadmin/zh-tw/feature/899D50D1860F403DB5B138D50D21F43F?page=1) [LogAnalyzer日誌分析工具安裝設定詳解](https://www.netadmin.com.tw/netadmin/zh-tw/technology/7FEA19007FA641779EB719E77C50709E) [CentOS Linux 7 安裝 MySQL/MariaDB 資料庫教學](https://blog.gtwang.org/linux/centos-7-install-mariadb-mysql-server-tutorial/) [rsyslog+mysql+loganalyzer記錄系統log至資料庫並由web介面呈現](https://ssorc.tw/1204) --- ###### tags: `log` `rsyslog` `mysql` `loganalyzer`