In this blog post I'll go over setting up and configuring syslog-ng on CentOS 7 inside a Linux Container. We'll be using native Linux containers, not Docker, or anything else – just LXD as the container hypervisor and LXC as the container architecture.
Please make sure you have LXD and LXC setup and configured before proceeding with the remaining steps. You can find a link in the references section below on how to get started with LXC and LXD.
Here's what our infrastructure looks like on our host system running LXD:
We'll be setting up
syslogng1 as the syslog-ng server and setting up two syslog-ng clients on
web2. We'll forward our logs on the two client servers to our syslog-ng server via TCP or UDP.
This process is what's known as centralized logging. You want to send all your logs to an offsite location in the event that an incident occurrs on one or more of the client systems. It also helps to prevent any log tampering from occuring on a compromised server.
With that being said, the syslog-ng server needs to be hardened, ideally running SELinux, have a strong firewall and logging policy, have a minimal amount of packages installed, and be kept up to date at all times. I've included some centralized logging server hardening reading material in the references section below.
Create the container and install syslog-ng
We'll need to first create a container using CentOS 7 as its base operating system and get a root shell on the container:
lxc launch images:centos/7/amd64 syslogng1 lxc exec syslogng1 -- /bin/bash
Download and install extra packages required for syslog-ng:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm rpm -Uvh epel-release-latest-7.noarch.rpm
Add the repository containing the unofficial latest build of syslog-ng and install it:
cd /etc/yum.repos.d/ wget https://copr.fedorainfracloud.org/coprs/czanik/syslog-ng314/repo/epel-7/czanik-syslog-ng314-epel-7.repo yum install syslog-ng
Enable, start, check the status of syslog-ng, and remove rsyslog (optional):
systemctl enable syslog-ng systemctl start syslog-ng systemctl status syslog-ng yum erase rsyslog
If there were no errors, syslog-ng should now be installed inside your container. Ideally you'd want to configure a dedicated user and group (service account) for running syslog-ng, since we currently have it set to run as root. Running commands and applications as root is not ideal in a production environment.
Now that syslog-ng is installed, enabled, and started, we need to configure it to act as a log receiver.
Using your favorite editor, run the following command:
The next post I make will have details on how to configure
syslogng1 as the syslog-ng server so that syslog-ng clients can send their logs to it.