Installing syslog-ng on CentOS 7 inside a Linux Container

In this blog post I'll go over setting up and configuring syslog-ng on CentOS 7 inside a Linux Container. We'll be using native Linux containers, not Docker, or anything else – just LXD as the container hypervisor and LXC as the container architecture.

Please make sure you have LXD and LXC setup and configured before proceeding with the remaining steps. You can find a link in the references section below on how to get started with LXC and LXD.

Infrastructure

Here's what our infrastructure looks like on our host system running LXD:

NAME STATE IPV4 IPV6 TYPE SNAPSHOTS
haproxy RUNNING 10.10.10.10 (eth0) PERSISTENT 1
mysql1 RUNNING 10.10.10.20 PERSISTENT 1
syslogng1 RUNNING 10.10.10.30 PERSISTENT 1
web1 RUNNING 10.10.10.40 PERSISTENT 1
web2 RUNNING 10.10.10.41 PERSISTENT 1

We'll be setting up syslogng1 as the syslog-ng server and setting up two syslog-ng clients on web1 and web2. We'll forward our logs on the two client servers to our syslog-ng server via TCP or UDP.

This process is what's known as centralized logging. You want to send all your logs to an offsite location in the event that an incident occurrs on one or more of the client systems. It also helps to prevent any log tampering from occuring on a compromised server.

With that being said, the syslog-ng server needs to be hardened, ideally running SELinux, have a strong firewall and logging policy, have a minimal amount of packages installed, and be kept up to date at all times. I've included some centralized logging server hardening reading material in the references section below.

Create the container and install syslog-ng

We'll need to first create a container using CentOS 7 as its base operating system and get a root shell on the container:

lxc launch images:centos/7/amd64 syslogng1
lxc exec syslogng1 -- /bin/bash

Download and install extra packages required for syslog-ng:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh epel-release-latest-7.noarch.rpm

Add the repository containing the unofficial latest build of syslog-ng and install it:

cd /etc/yum.repos.d/
wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng314/repo/epel-7/czanik-syslog-ng314-epel-7.repo
yum install syslog-ng

Enable, start, check the status of syslog-ng, and remove rsyslog (optional):

systemctl enable syslog-ng
systemctl start syslog-ng
systemctl status syslog-ng
yum erase rsyslog

If there were no errors, syslog-ng should now be installed inside your container. Ideally you'd want to configure a dedicated user and group (service account) for running syslog-ng, since we currently have it set to run as root. Running commands and applications as root is not ideal in a production environment.

Configure syslog-ng

Now that syslog-ng is installed, enabled, and started, we need to configure it to act as a log receiver.

Using your favorite editor, run the following command:

/etc/syslog-ng/syslog-ng.conf

The next post I make will have details on how to configure syslogng1 as the syslog-ng server so that syslog-ng clients can send their logs to it.

References

Show Comments