{"id":13587849,"url":"https://github.com/tslenter/RSX-RSC","last_synced_at":"2025-04-08T02:34:14.248Z","repository":{"id":44868454,"uuid":"230452318","full_name":"tslenter/RSX-RSC","owner":"tslenter","description":"Remote Syslog Core / X / C","archived":false,"fork":false,"pushed_at":"2022-01-30T11:24:20.000Z","size":4985,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-02-14T21:58:19.229Z","etag":null,"topics":["classic","cli","colortail","core","elasticsearch","instruction","kibana","ldap","license","php","plugins","remote","remotesyslog","rsc","rsx","syslog","syslog-ng","tail","version","website"],"latest_commit_sha":null,"homepage":"https://www.remotesyslog.com/","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tslenter.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-27T13:52:54.000Z","updated_at":"2023-11-05T06:43:36.000Z","dependencies_parsed_at":"2022-08-29T22:32:19.025Z","dependency_job_id":null,"html_url":"https://github.com/tslenter/RSX-RSC","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tslenter%2FRSX-RSC","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tslenter%2FRSX-RSC/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tslenter%2FRSX-RSC/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tslenter%2FRSX-RSC/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tslenter","download_url":"https://codeload.github.com/tslenter/RSX-RSC/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247765017,"owners_count":20992215,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["classic","cli","colortail","core","elasticsearch","instruction","kibana","ldap","license","php","plugins","remote","remotesyslog","rsc","rsx","syslog","syslog-ng","tail","version","website"],"created_at":"2024-08-01T15:06:23.329Z","updated_at":"2025-04-08T02:34:12.854Z","avatar_url":"https://github.com/tslenter.png","language":"Shell","funding_links":["https://www.paypal.com/cgi-bin/webscr?cmd=_donations\u0026business=KQKRPDQYHYR7W\u0026currency_code=EUR\u0026source=url"],"categories":["Shell"],"sub_categories":[],"readme":"[![published](https://static.production.devnetcloud.com/codeexchange/assets/images/devnet-published.svg)](https://developer.cisco.com/codeexchange/github/repo/tslenter/RSX-RSC)\r\n[![Website remotesyslog.com](https://img.shields.io/website-up-down-green-red/http/shields.io.svg)](https://www.remotesyslog.com/)\r\n[![GitHub issues](https://img.shields.io/github/issues/Naereen/StrapDown.js.svg)](https://github.com/tslenter/RSX-RSC/issues)\r\n[![GPLv3 license](https://img.shields.io/badge/License-GPLv3-blue.svg)](http://perso.crans.org/besson/LICENSE.html)\r\n\r\n# This repository has been replaced by: \r\n# https://www.github.com/tslenter/RS. \r\n# Please use the new repository for installation.\r\n# New links:\r\n```\r\nNew repository:\r\nhttps://www.github.com/tslenter/RS\r\n\r\nNew documentation:\r\nhttps://remote-syslog.readthedocs.io/\r\n\r\nWebpage:\r\nhttps://www.remotesyslog.com/\r\n```\r\n\r\n# !!INFORMATION BELOW IS OUTDATED!!\r\n# !!SCRIPT AUTO REDIRECTS TO NEW REPO!!\r\n\r\n## News:\r\n10-01-2022: https://www.github.com/tslenter/RS has Remote Syslog Classic webinterface for the Remote Syslog Core ready for a test download.\r\n\r\n09-01-2022: https://www.github.com/tslenter/RS has RSCCORE for the Remote Syslog Classic ready for a test download.\r\n\r\n08-01-2022: https://www.github.com/tslenter/RS has RSX for the RSE core ready for a test download.\r\n\r\n06-01-2022: Repository has been updated. If run in any trouble of running updates then update the /etc/apt/sources.list.d/syslog-ng.list with:\r\n```\r\nFor Ubuntu 20.04: deb https://cloud.remotesyslog.com/xUbuntu_20.04 ./\r\nAnd run: wget -qO - https://cloud.remotesyslog.com/xUbuntu_20.04/Release.key | /usr/bin/apt-key add -\r\nFor ubuntu 18.04: deb https://cloud.remotesyslog.com/xUbuntu_18.04 ./\r\nAnd run: wget -qO - https://cloud.remotesyslog.com/xUbuntu_18.04/Release.key | /usr/bin/apt-key add -\r\n```\r\n\r\n28-12-2021: 4logj instruction for mitigation: https://github.com/tslenter/RS4LOGJ-CVE-2021-44228/\r\n\r\n11-08-2021: New version RSE in testing phase. More information: https://github.com/tslenter/RS or https://www.remotesyslog.com/en/\r\n\r\n29-07-2021: New CLI syslog viewer: More information: https://github.com/tslenter/rseview. Usable with elasticsearch and the Remote Syslog concept. Currently in BETA.\r\n\r\n05-07-2021: Chinese webpage on-line: https://www.remotesyslog.com/ch/ / English can be found here: https://www.remotesyslog.com/en/\r\n\r\nFor more news check our linkedin page: https://www.linkedin.com/company/remote-syslog/\r\n\r\n## 1. License\r\n\r\n\"Remote Syslog\" is a free application that can be used to view syslog messages.\r\n\r\nCopyright (C) 2021 Tom Slenter\r\n\r\nThis program is free software: you can redistribute it and/or modify\r\nit under the terms of the GNU General Public License as published by\r\nthe Free Software Foundation, either version 3 of the License.\r\n\r\nThis program is distributed in the hope that it will be useful,\r\nbut WITHOUT ANY WARRANTY; without even the implied warranty of\r\nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\nGNU General Public License for more details.\r\n\r\nYou should have received a copy of the GNU General Public License\r\nalong with this program. If not, see \u003chttp://www.gnu.org/licenses/\u003e.\r\n\r\nFor more information contact the author:\r\n\r\nName author: Tom Slenter\r\n\r\nE-mail: info@remotesyslog.com\r\n\r\n## 2. Versions\r\n\r\nRSX is a syslog-ng - elasticsearch - kibana driven syslog server. This\r\ncombination allows you to dump and store a lot of syslog messages with almost\r\nno performance decrease in searches. RSX has multiple enterprise grade options.\r\n\r\nRSC is a syslog-ng - CLI - PHP GUI driven syslog server. This combination is for \r\nlow powered dives like a Rapspberry Pi and for small environments. Depending on the\r\nfunctionality RSC will run fine with more then 1000 devices, but tuning is required.\r\n\r\nRS Core is a syslog-ng - CLI driven syslog server. This environment can be used in\r\nsmall/lab/test environments. It is very small and compact. The setup can be done within \r\nwithin minutes.\r\n\r\n## 3. Config files\r\nDefault locations configuration/files:\r\n```\r\nSyslog-ng global config:       /etc/syslog-ng/syslog-ng.conf\r\nSyslog-ng additional configs:  /etc/syslog-ng/conf.d/99*\r\nKibana global config:          /etc/kibana/kibana.yml\r\nElasticsearch global config:   /etc/elasticsearch/elasticsearch.yml\r\nLogstash global config:        /etc/logstash/logstash.yml\r\nLogstash additional configs:   /etc/logstash/conf.d/99*\r\nLogrotate:                     /etc/logrotate.d/remotelog\r\nSyslog-ng logrotate:           /etc/logrotate.d/syslog-ng\r\nColortail global:              /opt/remotesyslog/colortail\r\nFilebeat global:               /etc/filebeat/filebeat.yml\r\nFilebeat Cisco:                /etc/filebeat/modules.d/cisco.yml\r\nFilebeat netflow:              /etc/filebeat/modules.d/netflow.yml\r\n```\r\n\r\n## 4. RSE Development version\r\nRSE is a new version of Remote Syslog which has the same functionality of RSC but the backend is running Elasticsearch. It can be tested within the following setup:\r\n\r\nConfirmed setups:\r\n```\r\nTested for Ubuntu 20.04 LTS virtual machine.\r\nTested for Ubuntu 21.04 Raspberry Pi 4 (4GB RAM)\r\n```\r\n\r\nQuick installation:\r\n```\r\ngit clone https://www.github.com/tslenter/RS\r\ncd RS\r\nchmod +x rseinstaller\r\nsudo ./rseinstaller\r\nOption 1 =\u003e RSE Core installation\r\nOption 1 =\u003e Core installation\r\n\r\nsudo ./rseinstaller\r\nOptional webinsterface:\r\nOption 2 =\u003e RSE webinterface installation\r\nOption 2 =\u003e Install RSE WEB\r\n```\r\n\r\nUse SSH to run the CLI commands. Updated commands:\r\n```\r\nrseview\r\nrseinstaller\r\nrseuser\r\n```\r\n\r\nWebinterface is running @ port 443 (SSL)\r\n\r\n## 5. Security\r\nAll external connections are encrypted with TLS/SSL, this includes the API on port 8080, SSH and HTTP for user login. Authentication is run by the PAM modules, so all users with a account can login. To restrict user login use the apache2 configuration and add all the users that are allowed to login. \r\n\r\nTo update the certificates, copy the new certificates to the following directory:\r\n```\r\n/etc/cert/\r\n```\r\n\r\nAfter you installed the new certificates, update the apache2 configuration. File location:\r\n```\r\n/etc/apache2/sites-enabled/\r\n```\r\n\r\n## 6. Installation\r\n### 6.1 Quick start\r\na. Install a clean debian 9.x or Ubuntu 20.04.2 LTS distro.\r\n\r\nb. Run the following commands:\r\n\r\n```bash\r\ngit clone https://github.com/tslenter/RSX-RSC.git\r\ncd RSX-RSC\r\nchmod +x rsinstaller\r\n./rsinstaller\r\nChoose option 1 to install the core\r\nChoose option 10 to install the RSC version (Remote Syslog Classic)\r\nChoose option 12 to install the RSX version\r\n```\r\nc.  RSX is only supported on Ubuntu 18.04.2 or higher and Debian 10.x or higher\r\n\r\n### 6.2 Local user management\r\nThe \"rsuser\" command is used to add or remove users from Remote Syslog X/C.\r\n\r\nAdd a user without cli access:\r\n```bash\r\nrsuser \u003cusername\u003e add web-only \r\n```\r\n\r\nAdd a user with cli access:\r\n```bash\r\nrsuser \u003cusername\u003e add\r\n```\r\n\r\nRemove a user:\r\n```bash\r\nrsuser \u003cusername\u003e rm\r\n```\r\n\r\n### 6.3 RSX Cluster\r\nWith build 52 of RSX 0.1 clustering is supported. RSX will load the default configuration. Feel free to add some best practice option, found here:\r\n```\r\nhttps://logz.io/blog/elasticsearch-cluster-tutorial/\r\n```\r\nCheck the cluster health by running the following command:\r\n```bash\r\ncurl -XGET -H \"Content-Type: application/json\" http://localhost:9200/_cluster/health?pretty=true\r\n```\r\nExpected output:\r\n```\r\n{\r\n  \"cluster_name\" : \"rsx\",\r\n  \"status\" : \"green\",\r\n  \"timed_out\" : false,\r\n  \"number_of_nodes\" : 3,\r\n  \"number_of_data_nodes\" : 3,\r\n  \"active_primary_shards\" : 10,\r\n  \"active_shards\" : 20,\r\n  \"relocating_shards\" : 0,\r\n  \"initializing_shards\" : 0,\r\n  \"unassigned_shards\" : 0,\r\n  \"delayed_unassigned_shards\" : 0,\r\n  \"number_of_pending_tasks\" : 0,\r\n  \"number_of_in_flight_fetch\" : 0,\r\n  \"task_max_waiting_in_queue_millis\" : 0,\r\n  \"active_shards_percent_as_number\" : 100.0\r\n}\r\n```\r\n\r\n## 7. Optional configuration\r\n### 7.1 Integrate Active Directory LDAP authentication for Apache 2\r\n\r\nActivate LDAP module apache:\r\n```bash\r\na2enmod ldap authnz_ldap\r\n```\r\n\r\nConfigure /etc/apache2/apache2.conf as following:\r\n```bash\r\n\u003cDirectory /var/www/html\u003e\r\nAuthType Basic\r\nAuthName \"Remote Syslog Login\"\r\nOptions Indexes FollowSymLinks\r\nAllowOverride None\r\nAuthBasicProvider ldap\r\nAuthLDAPGroupAttributeIsDN On\r\nAuthLDAPURL \"ldap://\u003cmyadhost\u003e:389/dc=DC01,dc=local?sAMAccountName?sub?(objectClass=*)\"\r\nAuthLDAPBindDN \"CN=,OU=Accounts,DC=DC01,DC=local\"\r\nAuthLDAPBindPassword\r\nAuthLDAPGroupAttribute member\r\nrequire ldap-group cn=,ou=Groups,dc=DC01,dc=local\r\n\u003c/Directory\u003e\r\n```\r\n\r\n### 7.2 Basic authentication for Apache 2\r\n\r\nInstall apache2-utils:\r\n```bash\r\napt-get install apache2-utils\r\n```\r\n\r\nCreate .htpasswd file:\r\n```bash\r\nhtpasswd -c /etc/apache2/.htpasswd \u003cmyuser\u003e\r\n```\r\n\r\nConfigure /etc/apache2/apache2.conf as following:\r\n```bash\r\n\u003cDirectory /var/www/html\u003e\r\nAuthType Basic\r\nAuthName \"Remote Syslog Login\"\r\nAuthBasicProvider file\r\nAuthUserFile \"/etc/apache2/.htpasswd\"\r\nRequire user\r\nOptions Indexes FollowSymLinks\r\nAllowOverride None\r\nRequire valid-user\r\nOrder allow,deny\r\nAllow from all\r\n\u003c/Directory\u003e\r\n```\r\n\r\n### 7.3 Active Directory integration via PAM\r\nRun commands as root:\r\n```bash\r\nsu -\r\n```\r\nUpgrade distro:\r\n```bash\r\napt-get update \u0026\u0026 apt upgrade -y\r\n```\r\n\r\nInstall packages:\r\n```bash\r\napt-get install realmd packagekit sssd-tools sssd libnss-sss libpam-sss adcli oddjob oddjob-mkhomedir adcli samba-common ntpdate ntp unzip resolvconf git -y\r\n```\r\n\r\nEnable DNS service:\r\n```bash\r\nsystemctl start resolvconf.service\r\nsystemctl enable resolvconf.service\r\nsystemctl status resolvconf.service\r\n```\r\n\r\nConfigure DNS service:\r\n```bash\r\nnano /etc/resolvconf/resolv.conf.d/head\r\n```\r\n\r\nAdd:\r\n```\r\nnameserver \u003cip dnsserver domeincontroller\u003e\r\n```\r\n\r\nReload DNS service:\r\n```bash\r\nsystemctl restart resolvconf.service\r\n```\r\n\r\nCheck if domain controller connection:\r\n```bash\r\nping dom001.lan.local\r\n```\r\n\r\nJoin controller:\r\n```bash\r\nrealm join --user=administrator lan.local --verbose\r\n```\r\n\r\nExpected output:\r\n```\r\n* Successfully enrolled machine in realm\r\n```\r\n\r\nEdit sssd deamon:\r\n```bash\r\nnano /etc/sssd/sssd.conf\r\n```\r\n\r\nEdit configuration:\r\n```\r\n[sssd]\r\ndomains = LAN.LOCAL\r\nconfig_file_version = 2\r\nservices = nss, pam, sudo\r\ndefault_domain_suffix = lan.local\r\nfull_name_format = %1$s\r\n\r\n[domain/lan.local]\r\nad_domain = lan.local\r\nkrb5_realm = LAN.LOCAL\r\nrealmd_tags = manages-system joined-with-adcli\r\ncache_credentials = True\r\nid_provider = ad\r\nkrb5_store_password_if_offline = True\r\ndefault_shell = /bin/bash\r\nldap_id_mapping = True\r\nuse_fully_qualified_names = True\r\nfallback_homedir = /home/%u@%d\r\n#Restict AD search:\r\n#ldap_search_base = DC=lan,DC=local\r\n#ldap_user_search_base OU=Power Users,OU=Accounts,DC=lan,DC=local\r\n#ldap_group_search_base OU=Groups,DC=lan,DC=local\r\naccess_provider = simple\r\nsimple_allow_groups = \u003cad group 1\u003e, \u003cad group 2\u003e\r\nmanage-system = yes\r\nautomatic-id-mapping = yes\r\n```\r\n\r\nReload sssd deamon:\r\n```bash\r\nservice sssd restart\r\n```\r\n\r\nConfigure PAM to auto create home folder:\r\n```bash\r\nnano /etc/pam.d/common-session\r\n```\r\n\r\nAdd:\r\n```\r\nsession    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022\r\n```\r\n\r\nGrant root rights (only ubuntu):\r\n```bash\r\nnano /etc/sudoers\r\n```\r\n\r\nAdd:\r\n```\r\n%\u003cadd ad group here\u003e ALL=(ALL:ALL) ALL\r\n```\r\n\r\nTo add a additional group use the following command:\r\n```bash\r\nrealm permit -g \u003cgroepnaam\u003e@lan.local\r\n```\r\n\r\nSecure apache2 login:\r\n```bash\r\nnano /etc/apache2/sites-enabled/rsx-apache.conf\r\n```\r\n\r\nChange the following configuration:\r\n```\r\nChange in all 3 location blocks:\r\n                Require valid-user\r\n                #Require user user1 user2 user3\r\n#To:\r\n                #Require valid-user\r\n                Require user test01 \u003c\u003c-- username\r\n```\r\n\r\nReload apache2 services:\r\n```bash\r\nservice apache2 restart\r\n```\r\n\r\nLogin or continue the RSX/RSC installation.\r\nDefault logout link: \r\n```\r\nhttps://\u003cip or dns\u003e/logout\r\n```\r\n\r\n## 8. Search strings CLI\r\n\r\n### 8.1 Search multiple strings of text within the per_host logging directory\r\n```bash\r\ngrep -h \"switch1\\|switch2\\|switch3\" /var/log/remote_syslog/* | more\r\n```\r\n\r\n### 8.2 Search for the top 15 messages\r\n```bash\r\negrep -o \"%.+?: \"/var/log/remote_syslog/remote_syslog.log | sort | uniq -c | sort -nr | head -n 15\r\n```\r\n\r\n## 9. Generate an email from an event\r\n### 9.1 Install netsend\r\n```bash\r\nsudo apt install sendmail\r\n```\r\n\r\nEdit:\r\n```bash\r\n/etc/mail/sendmail.cf\r\n```\r\n\r\nSearch for =\u003e #\"Smart\" relay host (may be null)\r\nChange after DS =\u003e DSsmtp.lan.corp\r\n\r\n### 9.2 Use the following script and save it to /opt/mailrs\r\n\r\nCreate array:\r\n```bash\r\n#!/bin/bash\r\n#Array of words:\r\ndeclare -a data=(Trace module)\r\n```\r\n\r\nCheck if error messages exist:\r\n```bash\r\nfor word in \"${data[@]}\"; do\r\n    mesg=$(cat /var/log/remote_syslog/remote_syslog.log | grep \"^$(date +'%b %d')\" | grep $word)\r\n    if [ -z \"$mesg\" ]\r\n    then\r\n        echo \"No variable!\"\r\n    else\r\n        echo \"Variable filled, setting variable to continue …\"\r\n        mesgall=1\r\n    fi\r\ndone\r\n```\r\n\r\nGenerate email:\r\n```bash\r\nif [ -z \"$mesgall\" ]\r\nthen\r\n    echo \"Nothing to do, abort\"\r\n    exit\r\nelse\r\n    echo \"Subject: Syslog critical errors\" \u003e /opt/rs.txt\r\n    echo \"\" \u003e\u003e /opt/rs.txt\r\n    echo \"Hello \u003cuser\u003e,\" \u003e\u003e /opt/rs.txt\r\n    echo \"\" \u003e\u003e /opt/rs.txt\r\n    echo \"The following message is generated by Remote Syslog.\" \u003e\u003e /opt/rs.txt\r\n    echo \"\" \u003e\u003e /opt/rs.txt\r\n    for word in \"${data[@]}\"; do\r\n        cat /var/log/remote_syslog/remote_syslog.log | grep \"^$(date +'%b %d')\" | grep $word \u003e\u003e /opt/rs.txt\r\n    done\r\n    echo \"\" \u003e\u003e /opt/rs.txt\r\n    echo \"The messages above are generated by the \u003chostname\u003e!\" \u003e\u003e /opt/rs.txt\r\n    echo \"\" \u003e\u003e /opt/rs.txt\r\n    echo \"Thank you for using Remote Syslog … ;-)\" \u003e\u003e /opt/rs.txt\r\n    cat /opt/rs.txt\r\n    /usr/sbin/sendmail -v -F \"T.Slenter\" -f \"info@mydomain.com\" ticketsystem@domain.com \u003c /opt/rs.txt\r\nfi\r\n```\r\n\r\nMake file executable:\r\n```bash\r\nchmod +x /opt/mailrs\r\n```\r\n\r\n### 9.3 Install with cron\r\nCommand:\r\n```bash\r\ncrontab -e\r\n```\r\n\r\nEdit:\r\n```bash\r\n0 * * * * /opt/mailrs\r\n```\r\n\r\n## 10. Known issues\r\n\r\n### 10.1 Disk full by Geo2\r\nMessage in logging:\r\n```bash\r\nJan 27 10:24:50 plisk002.prd.corp syslog-ng[1793]: geoip2(): getaddrinfo failed; gai_error='Name or service not known', ip='', location='/etc/syslog-ng/conf.d/99X-Checkpoint.conf:32:25'\r\nJan 27 10:24:50 plisk002.prd.corp syslog-ng[1793]: geoip2(): maxminddb error; error='Unknown error code', ip='', location='/etc/syslog-ng/conf.d/99X-Checkpoint.conf:32:25'\r\n```\r\n\r\nComponents needed for fix:\r\n\r\nFile: /etc/syslog-ng/syslog-ng.conf\r\n\r\nFile destinations: \r\n- d_syslog\r\n- d_error\r\n\r\nLog rules:\r\n```bash\r\n- log { source(s_src); filter(f_syslog3); destination(d_syslog); };\r\n- log { source(s_src); filter(f_error); destination(d_error); };\r\n```\r\n\r\nFix:\r\nEdit:\r\n```bash\r\nvi /etc/syslog-ng/syslog-ng.conf\r\n```\r\n\r\nAdd rules:\r\n```bash\r\nfilter geoip_messages_1 { not match(\"Name or service not known\"); };\r\nfilter geoip_messages_2 { not match(\"Unknown error code\"); };\r\n```\r\n\r\nChange rules:\r\n```bash\r\n-log { source(s_src); filter(f_syslog3); destination(d_syslog); };\r\n-log { source(s_src); filter(f_error); destination(d_error); };\r\n+log { source(s_src); filter(f_syslog3); filter(geoip_messages_1); filter(geoip_messages_2); destination(d_syslog); };\r\n+log { source(s_src); filter(f_error); filter(geoip_messages_1); filter(geoip_messages_2); destination(d_error); };\r\n```\r\n\r\n### 10.2 Kibana not loaded after upgrade\r\nRestarting the server will solve this problem. Some report that a restart of the Kibana or Elasticsearch will fix the issue.\r\n```bash\r\nservice elasticsearch restart\r\nservice kibana restart\r\n```\r\n\r\n### 10.3 Data too large, data for [\u003chttp_request\u003e] (JVM heap size)\r\nError message:\r\n```bash\r\ntom@plisk002:~$ curl -X GET 'http://localhost:9200/_cat/health?v'\r\n{\"error\":{\"root_cause\":[{\"type\":\"circuit_breaking_exception\",\"reason\":\"[parent] Data too large, data for [\u003chttp_request\u003e] would be [1014538592/967.5mb], which is larger than the limit of [986061209/940.3mb], real usage: [1014538592/967.5mb], new bytes reserved: [0/0b], usages [request=0/0b, fielddata=3057213/2.9mb, in_flight_requests=0/0b, accounting=261018719/248.9mb]\",\"bytes_wanted\":1014538592,\"bytes_limit\":986061209,\"durability\":\"PERMANENT\"}],\"type\":\"circuit_breaking_exception\",\"reason\":\"[parent] Data too large, data for [\u003chttp_request\u003e] would be [1014538592/967.5mb], which is larger than the limit of [986061209/940.3mb], real usage: [1014538592/967.5mb], new bytes reserved: [0/0b], usages [request=0/0b, fielddata=3057213/2.9mb, in_flight_requests=0/0b, accounting=261018719/248.9mb]\",\"bytes_wanted\":1014538592,\"bytes_limit\":986061209,\"durability\":\"PERMANENT\"},\"status\":429}\r\n```\r\n\r\nIncrease memory fix:\r\n```bash\r\nnano /etc/elasticsearch/jvm.options\r\n```\r\n\r\nEdit:\r\n```bash\r\n--Xms1g\r\n--Xmx1g\r\n+-Xms6g\r\n+-Xmx6g\r\n```\r\n\r\n### 10.4 Syslog-NG 3.27.1 breaks with new upgrade on Ubuntu 18.04 and 20.04\r\nError message:\r\n```bash\r\ndpkg: error processing package syslog-ng-mod-sql (--configure):\r\n dependency problems - leaving unconfigured\r\ndpkg: dependency problems prevent configuration of syslog-ng-mod-redis:\r\n syslog-ng-mod-redis depends on syslog-ng-core (\u003e= 3.27.1-2); however:\r\n  Package syslog-ng-core is not configured yet.\r\n syslog-ng-mod-redis depends on syslog-ng-core (\u003c\u003c 3.27.1-2.1~); however:\r\n  Package syslog-ng-core is not configured yet.\r\n```\r\nFix:\r\n\r\nBackup configuration\r\n```bash\r\nmkdir ~/syslog-ng_backup/\r\ncp -rf /etc/syslog-ng/* ~/syslog-ng_backup/\r\n```\r\nVerify configuration\r\n```bash\r\nls ~/syslog-ng_backup/\r\n```\r\nPurge syslog-ng and remove everything\r\n```bash\r\nsudo apt purge syslog-ng-core\r\n```\r\nIf some files remain, delete them all\r\n```bash\r\nrm -rf /etc/syslog-ng\r\n```\r\nReinstall syslog-ng-core\r\n```bash\r\nsudo apt install syslog-ng-core\r\n```\r\nReinstall syslog-ng\r\n```bash\r\nsudo apt install syslog-ng\r\n```\r\nCleanup some packages\r\n```bash\r\nsudo apt auto-remove\r\n```\r\nRestore RS configuration files\r\n```bash\r\ncp ~/syslog-ng_backup/conf.d/99* /etc/syslog-ng/conf.d/\r\n```\r\nIf you edited the /etc/syslog-ng/syslog-ng.conf file, check the difference and restore your custom configuration.\r\n\r\nThis issue should be fixed in version 3.27.1-2.1.\r\n\r\n### 10.5 My elasticsearch does not recieve any logging, but everything is fine\r\nYou probably should check the date. If the date is not correct run in the CLI as root:\r\ndpkg-reconfigure tzdata\r\n\r\nThis allows you to configure the timezone.\r\n\r\nThe next thing to check is within the Kibana console\r\nManagement =\u003e Advanced Settings =\u003e Timezone for date formatting =\u003e setup the right timezone.\r\n\r\n## 11. Default API queries for Elasticsearch\r\nFind all indexes:\r\n```bash\r\ncurl -XGET 'localhost:9200/_cat/indices'\r\n```\r\nFind cluster disk space:\r\n```bash\r\ncurl -XGET 'localhost:9200/_cat/allocation?v\u0026pretty'\r\n```\r\n\r\n## 12. Configuration checks\r\nLogstash test new config: \r\n```bash\r\n/usr/share/logstash/bin/logstash --config.test_and_exit -f /etc/logstash/conf.d/97-rsmdefault.conf --path.settings /etc/logstash/\r\n```\r\n\r\n## 13. Upgrades\r\n\r\n### 13.1 Upgrade from Remote Syslog 1.x\r\nManual remove Remote Syslog 1.x with the following bash script:\r\n```bash\r\necho \"File is only present if local syslog is activated\"\r\nrm -rf /etc/syslog-ng/conf.d/99-remote-local.conf\r\necho \"Remove configuration files\"\r\nrm -rf /etc/syslog-ng/conf.d/99-remote.conf\r\nrm -rf /etc/logrotate.d/remotelog\r\nrm -rf /etc/colortail/conf.colortail\r\nrm -rf /opt/remotesyslog\r\necho \"Remove binary files\"\r\nrm -rf /usr/bin/rsview\r\nrm -rf /usr/bin/rsinstaller\r\necho \"Removing legacy GUI website …\"\r\nrm -rf /var/www/html/favicon.ico\r\nrm -rf /var/www/html/index.php\r\nrm -rf /var/www/html/indexs.php\r\nrm -rf /var/www/html/jquery-latest.js\r\nrm -rf /var/www/html/loaddata.php\r\necho \"Remove packages …\"\r\napt -y purge apache2 apache2-utils php libapache2-mod-php syslog-ng colortail\r\napt -y autoremove\r\necho \"Reinstall rsyslog\"\r\napt -y install rsyslog\r\n```\r\nAfter the removal of Remote Syslog 1.x, install the new RSX or RSC. The old syslog data is still available through RSC or RSX but only in plain text.\r\n\r\nMore information over Remote Syslog 1.x: https://github.com/tslenter/Remote_Syslog\r\n\r\n### 13.2 Upgrade from Ubuntu 18.04 to 20.04\r\nFirst update rsinstaller:\r\n```bash\r\nrsinstaller\r\nSelect option: 3\r\n```\r\nBuild 56 or higher is recommended.\r\n\r\nUpgrade commands:\r\n```bash\r\napt update \u0026\u0026 sudo apt upgrade\r\n#You probably run in a syslog-ng rdkafka error. This will stop the installation. Therefore we added \"apt install -f\".\r\n#This only effects version 3.27.1 and was fixed in 3.27.1-2.\r\napt install -f\r\nreboot\r\napt install update-manager-core\r\ndo-release-upgrade -d\r\n```\r\nIt appears that the package \"syslog-ng-mod-rdkafka\" has some conflics with the core configuration, If you run in this error, try to uninstall this package:\r\n```bash\r\n#This only effects version 3.27.1 and was fixed in 3.27.1-2.\r\napt remove syslog-ng-mod-rdkafka\r\n```\r\nAfter the upgrade there is a issue with the Apache2 configuration:\r\nEdit the following file: /etc/apache2/mods-enabled/php7.2.load and change:\r\n```\r\n-LoadModule php7_module /usr/lib/apache2/modules/libphp7.2.so\r\n+LoadModule php7_module /usr/lib/apache2/modules/libphp7.4.so\r\n```\r\nCheck to /var/log/syslog for errors. We found 2 errors and this depends on which platform you run the RSX server.\r\nError 1 || DNS message:\r\n```\r\nApr 30 20:56:22 lusysl003 systemd-resolved[923]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP\r\n```\r\nRecreate symlink will fix this issue:\r\n```\r\nln -sfn /run/systemd/resolve/resolv.conf /etc/resolv.conf\r\n\r\nor\r\n\r\nrm /etc/resolv.conf\r\nln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf\r\n```\r\nError 2 || If you run the server on ESXi you get the following error:\r\n```\r\nApr 30 12:47:53 plisk001.prd.corp multipathd[856]: sdb: add missing path\r\nApr 30 12:47:53 plisk001.prd.corp multipathd[856]: sdb: failed to get udev uid: Invalid argument\r\nApr 30 12:47:53 plisk001.prd.corp multipathd[856]: sdb: failed to get sysfs uid: Invalid argument\r\nApr 30 12:47:53 plisk001.prd.corp multipathd[856]: sdb: failed to get sgio uid: No such file or directory\r\n```\r\nEdit the following file /etc/multipath.conf to fix this issue:\r\n```\r\n+blacklist {\r\n+    device {\r\n+        vendor \"VMware\"\r\n+        product \"Virtual disk\"\r\n+    }\r\n+}\r\n```\r\nAfter that restart the deamon:\r\n```\r\nsystemctl restart multipath-tools\r\n```\r\nReactivate repo:\r\n```\r\nwget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -\r\napt-get install apt-transport-https -y\r\necho \"deb https://artifacts.elastic.co/packages/7.x/apt stable main\" | tee -a /etc/apt/sources.list.d/elastic-7.x.list\r\necho \"deb https://artifacts.elastic.co/packages/oss-7.x/apt stable main\" | tee -a /etc/apt/sources.list.d/elastic-7.x.list\r\n\r\nwget -qO - https://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/xUbuntu_20.04/Release.key | /usr/bin/apt-key add -\r\necho deb http://download.opensuse.org/repositories/home:/laszlo_budai:/syslog-ng/xUbuntu_20.04 ./ \u003e /etc/apt/sources.list.d/syslog-ng.list\r\napt update\r\napt install syslog-ng-mod-snmp syslog-ng-mod-freetds syslog-ng-mod-json syslog-ng-mod-mysql syslog-ng-mod-pacctformat syslog-ng-mod-pgsql syslog-ng-mod-snmptrapd-parser syslog-ng-mod-sqlite3\r\nsudo apt autoremove\r\n```\r\n\r\n### 13.3 Ubuntu upgrade policy\r\nFor Ubuntu we only test the latest LTS version. At the time of writing this is 20.04 LTS. The next release will be 22.04 LTS.\r\n\r\n## 14. Information and external links\r\n\r\nMore information: https://www.remotesyslog.com/\r\n\r\nFind more plugins: https://github.com/syslog-ng/syslog-ng/tree/master/scl\r\n\r\n## 15. Donation and help\r\n\r\n### 15.1 Donation\r\n\r\nCrypto:\r\n\r\n```\r\nBTC (Bitcoin): bc1qulyuywjkeamqu0h9ctuj5cla8u0pagkaa83hf6\r\nLTC (Litecoin): ltc1q25j4yxg9dkwknrh4a7fvndtt3358c4gjnsf9qv\r\nBCH (Bitcoin Cash): qq9qd6gshp4n9gkk3zy9505p8j8jlhur4uv0lxv2d8\r\n```\r\nPayPal:\r\n\r\n[![paypal](https://www.paypalobjects.com/en_US/NL/i/btn/btn_donateCC_LG.gif)](https://www.paypal.com/cgi-bin/webscr?cmd=_donations\u0026business=KQKRPDQYHYR7W\u0026currency_code=EUR\u0026source=url)\r\n\r\n### 15.2 Help\r\n\r\nTo improve the code and functions we like to have you help. Send your idea or code to: info@remotesyslog.com or create a pull request. We will review it and add it to this project.\r\n\r\n### 15.3 What is a RSCX token?\r\nRSCX is created to reward developers for their work and to support the project. It is a tradable token by the Waves exchange. It comes with no warranty and the price indication is based on the live market. Sending funds to the wrong address will result in a loss of those funds. We do not refund RSCX tokens. We suggest that you use a hardware token to secure the RSCX tokens. Good luck trading and have fun!\r\n\r\n### 15.4 RSCX token\r\nWe have a reward system in place, Remote Syslog has it own token available called RSCX. How to get RSCX?\r\n\r\nSend usable code/patterns to info@remotesyslog.com or create a pull request. We will review the code or pattern, this may take some time.\r\n\r\nExpected payout RSCX:\r\n - Patterns: minimum of 20 RSCX\r\n - Code fixes: minimum of 20 RSCX\r\n - Security fixes: minimum of 40 RSCX\r\n - New functionality like a plugin: minimum of 45 RSCX\r\n - Setup a marketing campagne: minimum of 45 RSCX\r\n - Advisor payout: minimum of 45 RSCX\r\n - Test functionality: minimum of 5 RSCX\r\n - Rewards can be higher depending on the quality of the delivered work\r\n - Bounty programs may be available in future\r\n \r\nNote 1: code that is useless will not have a reward.\r\n\r\nRSCX distribution:\r\n\r\n10 million RSCX tokens are created. Distribution:\r\n\r\n - 4 million RSCX is available for developers (40%)\r\n - 0.2 million RSCX is available for testers (2%)\r\n - 2 million RSCX is available for marketing (20%)\r\n - 0.2 million RSCX is available for advisors (2%)\r\n - 1 million RSCX is available for investors (10%)\r\n - 2.6 million RSCX is reserved for future use/insurance/burn (26%)\r\n\r\nWhere to trade RSCX:\r\n\r\nhttps://waves.exchange/dex-demo?assetId2=CqWLkpZ47CQLjtojz8S14Ao1xsv7i3zue2aWLcH6RJoG\u0026assetId1=8LQW8f7P5d5PZM7GtZEBgaqRPGSzS3DfPuiXrURJ4AJS\r\n\r\nTrading pairs:\r\n```\r\nRSCX / WAVES\r\nRSCX / USDN\r\nRSCX / USDT\r\nRSCX / BTC\r\nRSCX / BCH\r\nRSCX / BSV\r\nRSCX / ETH\r\nRSCX / TRY\r\nRSCX / LTC\r\nRSCX / ZEC\r\nRSCX / XMR\r\nRSCX / DASH\r\nBNT / RSCX\r\nRSCX / ERGO\r\nRSCX / WEST\r\nWCT / RSCX\r\nRSCX / WNET\r\nRSCX / EFYT\r\nRSCX / MRT\r\nRSCX / LIQUID\r\n```\r\n\r\nA waves account is needed to recieve RSCX tokens.\r\n\r\n### 15.5 Funds\r\nAll donations and other funds will be used to cover cost of this project and to improve tests/plugins/core scripts. The roadmap will display new functions or products. Check https://www.remotesyslog.com for more information.\r\n\r\n### 16 Tips for RSX\r\n- Make a good lifecycle policy to prevent a full disk (Just monitor it for some time).\r\n- By default text file storage is enabled. When using the elastic-based stack you can disable this by editing the syslog-ng config. (If this is disabled the \"rsview\" command gives no new output). Text-based storage use can be lowered by the RSX installer.\r\n- Everything is built in a block structure so you can disable default services and add your own. This block structure allows you to disable the RSX concept and go an elastic stack setup, or something else.\r\n- By default everything Syslog can be received at port 514 UDP/TCP, we do recommend 514/UDP and no 514/TCP (UDP is faster and we recommend that for all services).\r\n- RSX is capable of running a cluster setup, we recommend a cluster of 3 for full redundancy. When running a cluster make sure you create a good update plan.\r\n- By default we use Syslog-ng as core, this parses all syslog data. If you like to create fields for smart searches within the Kibana interface this is required.\r\n- Check out the active directory (AD) setup. The RSX authentication page works with Linux PAM. PAM can beconfigured to use a AD.\r\n- The default login name for RSX is the created with the Debian/Ubuntu installation. Do NOT use a root user! If you only created a root user, create a noraml user account for the login.\r\n- We do have some patterns preconfigured. (CheckPoint, Cisco, Microsoft, F5,  and more) You probably need to edit them to match the infrastructure.\r\n- Because we use open source software everything is free and patterns can be found with a good google search as well.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftslenter%2FRSX-RSC","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftslenter%2FRSX-RSC","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftslenter%2FRSX-RSC/lists"}