nginx per wordpress con alti volumi di traffico su CentOS 6x

Risorse da consultare

http://codex.wordpress.org/Nginx#URL_Rewrites_.2F_Permalinks

How to install LEMP on centos 6 ( Nginx, PHP, Mysql )


http://nginx.org/en/linux_packages.html#stable

Installazione nginx su CentOS 6*

wget http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm

rpm -Uhv nginx-release-centos-6-0.el6.ngx.noarch.rpm

vim /etc/yum.repos.d/nginx.repo

aggiungi

priority=10

yum install nginx

per la configurazione vedi la directory conf
https://github.com/MaoX17/nginx-php-fpm-wordpress-high-performance

Installazione php-fpm 5.4 su CentOS 6*

yum install centos-release-SCL

yum update

yum install php54*

per la configurazione vedi la directory conf
https://github.com/MaoX17/nginx-php-fpm-wordpress-high-performance

Installazione redis su CentOS 6*

yum install redis.x86_64

/opt/rh/php54/root/usr/bin/pecl install redis

You should add “extension=redis.so” to php.ini

dopo controlla phpinfo

/opt/rh/php54/root/usr/bin/pear channel-discover pear.nrk.io

/opt/rh/php54/root/usr/bin/pear remote-list -c nrk

/opt/rh/php54/root/usr/bin/pear install nrk/predis

ricorda di installare il plugin per redis su wordpress e il plugin WP-Super-Cache

per la configurazione vedi la directory conf
https://github.com/MaoX17/nginx-php-fpm-wordpress-high-performance

install and configure backup bacula 7 webacula bacula-web

# Bacula Step by Step

Per maggiori informazioni, aggiornamenti ed esempi di configurazione clicca qui
https://github.com/MaoX17/Bacula-7-step-by-step

## Installazione

yum install yum install mysql mysql-devel mysql-server mysql-libs perl-DBD-MySQL perl-DBI

yum install php-*

wget https://repos.fedorapeople.org/repos/slaanesh/bacula7/epel-bacula7.repo
cp epel-bacula7.repo /etc/yum-repos.d/
yum update

yum install mt*

yum install bacula*

yum install epel-release

## Configurazione

cd /usr/libexec/bacula/

./create_mysql_database
./make_mysql_tables
./grant_mysql_privileges

Collego bacula a mysql
alternatives –config libbaccats.so

### Impostazione per la libreria automatizzata (Sun StorageTek L40 Tape Library)

vim /usr/libexec/bacula/mtx-changer.conf
offline=1
offline_sleep=60
load_sleep=60
inventory=0
vxa_packetloader=0
debug_log=1

#### Se la libreria conteneva dati e si vuole una situazione pulita

prima di fare RELABEL

##### Script per riavvolgere i nastri e svuotarli
for i in {1..40}
do
echo $i
/usr/libexec/bacula/mtx-changer /dev/sg3 load $i /dev/st0 0 && mt -f /dev/st0 rewind && mt -f /dev/st0 weof && mt -f /dev/st0 rewind && /usr/libexec/bacula/mtx-changer /dev/sg3 unload $i /dev/st0 0
done

#### Label dei volumi (nastri) con Barcodes

bconsole
label barcodes

##### Note
If your autochanger has barcode labels, you can label all the Volumes in your autochanger one after another by using the label barcodes command. For each tape in the changer containing a barcode, Bacula will mount the tape and then label it with the same name as the barcode. An appropriate Media record will also be created in the catalog. Any barcode that begins with the same characters as specified on the “CleaningPrefix=xxx” command, will be treated as a cleaning tape, and will not be labeled. For example with:

Please note that Volumes must be pre-labeled to be automatically used in the autochanger during a backup. If you do not have a barcode reader, this is done manually (or via a script).

Pool {
Name …
Cleaning Prefix = “CLN”
}
Any slot containing a barcode of CLNxxxx will be treated as a cleaning tape and will not be mounted.

#### Label del volume per il backup del Catalog
bconsole
label
Automatically selected Catalog: MyCatalog
Using Catalog “MyCatalog”
The defined Storage resources are:
1: File1
2: File2
3: STK
Select Storage resource (1-3): 1
Enter new Volume name: Vol-File-Bkp
Defined Pools:
1: Default
2: Nastri-Win
3: Nastri-LNX
4: File
5: Scratch
Select the Pool (1-5): 1

Catalog record for Volume “Vol-File-Bkp”, Slot 0 successfully created.

*quit

#### ATTENZIONE In caso di errori (catalog not found)

check the permissions of your bacula-dir.conf. Your bacula-dir runs as user bacula and MUST have
enough permissions to read its bacula-dir.conf (and also the query.sql).

chmod -R 777 /etc/bacula

## Installazione di Webacula
(http://webacula.sourceforge.net/)

download and unpack webacula7

mv webacula-7.0.0 /usr/share/webacula
cp /usr/share/webacula/install/apache/webacula.conf /etc/httpd/conf.d/

### Installo i componenti necessari a webacula

yum install php-ZendFramework-full.noarch php-ZendFramework-Auth-Adapter-Ldap.noarch php-ZendFramework-Db-Adapter-Mysqli.noarch php-ZendFramework-Db-Adapter-Pdo-Mysql.noarch

### Imposto i permessi per webacula tramite sudo

visudo:
……
Defaults requiretty

### Per webacula
Defaults:apache !requiretty
apache ALL = NOPASSWD: /usr/sbin/bconsole, /sbin/stop

### Imposto la password di webacula
./password-to-hash.php ##PASSWORD##

paste it in db.conf

### Ulteriori configurazioni di webacula
cd /usr/share/webacula/
vim application/config.ini

cd /usr/share/webacula/install
./check_system_requirements.php

cd MySql/
./10_make_tables.sh
./20_acl_make_tables.sh

#### In caso estremo (per risolvere i problemi di login):
mysql
use bacula
update webacula_users set pwd=’$P$BMAiISUFah71ZDpzy1Vx1emAZU5Rli1′ where id = 1000;

## Installazione di Bacula Web
(http://www.bacula-web.org/)
download bacula-web 7
The latest version Bacula-Web is available through the project site download page
http://www.bacula-web.org/download.html

Go to your Apache root’s folder
cd /var/www/html
mkdir -v bacula-web
tar -xzvf bacula-web.tar.gz -C /var/www/html/bacula-web
chown -Rv apache: /var/www/html/bacula-web
chmod -Rv ug+w /var/www/html/bacula-web/application/view/cache

From the installation folder, go to the folder mentioned below
application/config/

– Open the file config.php.sample and modify the settings regarding your installation
– Save this file as config.php in the same folder

### Test

Open your web browser and go to the address below

http://youserver/bacula-web/test.php

## RESTART BACULA FULL
for i in `ls /etc/init.d/bacula-*`; do $i $1; done

Trasferire via ftp solo i file nuovi

wget -m --ftp-user=xxxx --ftp-password=yyy ftp://ftp.dominio.it/www.dominio.it/

nohup comando
Then press ctrl + z which will temporarily suspend the command
bg
This will start executing the command in backgroud
To see what background process that is running you can type command:
$ jobs

rsync -avzu -e "ssh -p 2222" root@xx.xx.xx.xx:/var/www/html/ORIG/* /home/DEST/public_html/ > /home/DEST/public_html/rsync.log 2> /home/DEST/public_html/rsync.err

Installare php 5.4 su CentOs 6.x

Thanks to
http://sharadchhetri.com/2015/04/04/install-php-5-4-on-centos-6-with-yum-command/

Step 1. Install SCL repo only by hitting below given command.

yum install centos-release-SCL

Step 2. Install php 5.4 version on system now.

yum install php54

To install specific package, package name should be known. Hence, to get the list of available package list from SCL repo run below given command.

yum list|grep php

Step 3. Activate the PHP 5.4 on system.
NOTE: If you run below given command directly from terminal then on next login you will not find PHP 5.4 path.

source /opt/rh/php54/enable

Basically the above command, make PHP 5.4 executable path and environment available to current login user.

To make PHP 5.4 available to all user , we have to add line source /opt/rh/php54/enable inside file called /etc/profile. Now activate without logout by running command.

source /etc/profile

Or in case, if you only want php 5.4 available to specific user then just only edit .bashrc or .bash_profile file from User’s home directory. And add line source /opt/rh/php54/enable .

Step 4. Now check the php version

php -v

Below given is reference from our system.

[root@localhost ~]# php -v
PHP 5.4.16 (cli) (built: Nov 19 2014 08:05:17)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
[root@localhost ~]#
IMPORTANT NOTE : The PHP 5.4 package actually installed in /opt/rh directory.

ATTENZIONE!!!! Abilitazione x virtualhost

thanks to: http://www.ilsistemista.net/index.php/linux-a-unix/45-joomla-3-3-centos-6-and-php-version-putting-all-together.html?start=1

Step n.1: enable the SCL repo and install PHP 5.4

yum install -y centos-release-SCL.x86_64
yum install -y php54.x86_64 php54-php-mysqlnd

Step n.2: create a PHP wrapper script in /var/www/cgi-bin/php54-wrapper

#!/bin/bash
source /opt/rh/php54/enable
exec php-cgi $1

Then give it the appropriate permissions and restore the selinux context:

restorecon -RF /var/www/cgi-bin/php54-wrapper
chown apache:apache /var/www/cgi-bin/php54-wrapper
chmod ugo-rwx /var/www/cgi-bin/php54-wrapper
chmod ug+rx /var/www/cgi-bin/php54-wrapper

Step n.3: configure the appropiate VirtualHost to use the new PHP version via the CGI interface

AddHandler php-cgi .php
Action php-cgi /cgi-bin/php54-wrapper
Options +ExecCGI

This configuration instruct Apache to use the new PHP 5.4 version for this and only this Virtualhost, leaving all others configuration intact: other Virtualhosts will continue to use PHP 5.3 version via mod_php.

 

Nota:

se smette di funzionare occorre rinominare il file

/etc/httpd/conf.d/php54-php.conf

in

/etc/httpd/conf.d/php54-php.conf.vhosts

Apache: No space left on device: Couldn’t create accept lock

from: major.io

This error completely stumped me a couple of weeks ago. Apparently someone was adjusting the Apache configuration, then they checked their syntax and attempted to restart Apache. It went down without a problem, but it refused to start properly, and didn’t bind to any ports.

Within the Apache error logs, this message appeared over and over:

[emerg] (28)No space left on device: Couldn’t create accept lock
Apache is basically saying “I want to start, but I need to write some things down before I can start, and I have nowhere to write them!” If this happens to you, check these items in order:

1. Check your disk space
This comes first because it’s the easiest to check, and sometimes the quickest to fix. If you’re out of disk space, then you need to fix that problem. 🙂

2. Review filesystem quotas
If your filesystem uses quotas, you might be reaching a quota limit rather than a disk space limit. Use repquota / to review your quotas on the root partition. If you’re at the limit, raise your quota or clear up some disk space. Apache logs are usually the culprit in these situations.

3. Clear out your active semaphores
Semaphores? What the heck is a semaphore? Well, it’s actually an apparatus for conveying information by means of visual signals. But, when it comes to programming, semaphores are used for communicating between the active processes of a certain application. In the case of Apache, they’re used to communicate between the parent and child processes. If Apache can’t write these things down, then it can’t communicate properly with all of the processes it starts.

I’d assume if you’re reading this article, Apache has stopped running. Run this command as root:

ipcs -s

If you see a list of semaphores, Apache has not cleaned up after itself, and some semaphores are stuck. Clear them out with this command:

 for i in `ipcs -s | awk '/httpd/ {print $2}'`; do (ipcrm -s $i); done

Now, in almost all cases, Apache should start properly. If it doesn’t, you may just be completely out of available semaphores. You may want to increase your available semaphores, and you’ll need to tickle your kernel to do so. Add this to /etc/sysctl.conf:

kernel.msgmni = 1024
kernel.sem = 250 256000 32 1024

And then run

sysctl -p 

to pick up the new changes.

Installazione di Ocserv – openconnect server vpn

Installazione

yum install autoconf automake gcc libtasn1-devel zlib zlib-devel  trousers trousers-devel gmp-devel gmp xz texinfo libnl-devel libnl  tcp_wrappers-libs tcp_wrappers-devel tcp_wrappers dbus dbus-devel  ncurses-devel pam-devel readline-devel bison bison-devel flex gcc  automake autoconf wget
wget http://www.infradead.org/~tgr/libnl/files/libnl-3.2.25.tar.gz
tar -zxvf nettle-2.7.1.tar.gz
cd nettle-2.7.1
./configure --prefix=/opt/
make && make install
tar -xvf gnutls-3.3.10.tar.xz
cd gnutls-3.3.10
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
NETTLE_CFLAGS="-I/opt/include/" NETTLE_LIBS="-L/opt/lib64/ -lnettle"  HOGWEED_CFLAGS="-I/opt/include" HOGWEED_LIBS="-L/opt/lib64/ -lhogweed"  ./configure --prefix=/opt/
wget http://www.carisma.slowglass.com/~tgr/libnl/files/libnl-3.2.24.tar.gz
tar xvf libnl-3.2.24.tar.gz
cd libnl-3.2.24
./configure --prefix=/opt/
make && make install
tar -xvf ocserv-0.8.8.tar.xz
cd ocserv-0.8.8
ls
LIBGNUTLS_CFLAGS="-I/opt/include/" LIBGNUTLS_LIBS="-L/opt/lib/ -lgnutls"  LIBNL3_CFLAGS="-I/opt/include" LIBNL3_LIBS="-L/opt/lib/ -lnl-3  -lnl-route-3" ./configure --prefix=/opt/
make && make install
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/

export PATH=$PATH:/opt/bin:/opt/sbin

Configurazione di Ocserv – openconnect server vpn

Generazione dei certificati

mkdir /etc/ocserv/

cd /etc/ocserv/

export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/

export PATH=$PATH:/opt/bin:/opt/sbin

certtool --generate-privkey --outfile ca-key.pem

cat << _EOF_ > ca.tmpl
cn = "VPN CA"
organization = "Provincia di Prato"
serial = 1
expiration_days = 9999
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_

certtool --generate-self-signed --load-privkey ca-key.pem --template ca.tmpl --outfile ca-cert.pem
certtool --generate-privkey --outfile server-key.pem

cat << _EOF_ > server.tmpl
cn = "openconnect.provincia.prato.it"
organization = "ProvinciaDiPrato"
expiration_days = 9999
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server
_EOF_

certtool --generate-certificate --load-privkey server-key.pem  --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem  --template server.tmpl --outfile server-cert.pem

certtool --generate-privkey --outfile mpadmin-key.pem

cat << _EOF_ > mpadmin.tmpl
cn = "mpadmin"
unit = "admins"
expiration_days = 9999
signing_key
tls_www_client
_EOF_

certtool --generate-certificate --load-privkey mpadmin-key.pem  --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem  --template mpadmin.tmpl --outfile mpadmin-cert.pem

File di configurazione: ocserv.conf

[root@localhost ocserv]# cat ocserv.conf
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam.
auth = "certificate"
#auth = "plain[./test1.passwd]"
#auth = "pam"

# A banner to be displayed on clients
banner = "Welcome"

# Use listen-host to limit to specific IPs or to the IPs of a provided hostname.
#listen-host = [IP|HOSTNAME]

use-dbus = no

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16

# Limit the number of client connections to one every X milliseconds
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100

# Limit the number of identical clients (i.e., users connecting multiple times)
# Unset or set to zero for unlimited.
max-same-clients = 2

# TCP and UDP port number
tcp-port = 4444
udp-port = 4444

# Keepalive in seconds
keepalive = 32400

# Dead peer detection in seconds
dpd = 440

# MTU discovery (DPD must be enabled)
try-mtu-discovery = false

# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g.,
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/server-cert.pem
server-key = /etc/ocserv/server-key.pem

# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem

# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der

# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only (It's the storage
# root key).
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt

# The Certificate Authority that will be used
# to verify clients if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
ca-cert = /etc/ocserv/ca-cert.pem

# The object identifier that will be used to read the user ID in the client certificate.
# The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1

# The object identifier that will be used to read the user group in the client
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are:
#  OU (organizational unit) = 2.5.4.11
#cert-group-oid = 2.5.4.11

# A revocation list of ca-cert is set
#crl = /path/to/crl.pem

# GnuTLS priority string
tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT"

# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"

# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40

# The time (in seconds) that a client is not allowed to reconnect after
# a failed authentication attempt.
#min-reauth-time = 2

# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 172800

# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client),
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON
# may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript

# UTMP
use-utmp = true

# PID file
pid-file = /var/run/ocserv.pid

# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot

# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket

# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Network settings

device = vpns

# The default domain to be advertised
default-domain = provincia.prato.it

ipv4-network = 172.21.0.0
ipv4-netmask = 255.255.0.0
# Use the keywork local to advertize the local P-t-P address as DNS server
ipv4-dns = 172.21.1.29

# The NBNS server (if any)
#ipv4-nbns = 192.168.2.3

#ipv6-address =
#ipv6-mask =
#ipv6-dns =

# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false

# Leave empty to assign the default MTU of the device
# mtu =

#route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0

#
# The following options are for (experimental) AnyConnect client
# compatibility. They are only available if the server is built
# with --enable-anyconnect
#

# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot.
# The profile is ignored by the openconnect client.
#user-profile = profile.xml

# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie. Legacy CISCO clients do not do that, and thus this option
# should be set for them.
#always-require-cert = false

######################################################################################

Creo file di start del servizio: ocserv.start

[root@localhost ocserv]# cat ocserv.start
#!/bin/bash
export LD_LIBRARY_PATH=/opt/lib/:/opt/lib64/
export PATH=$PATH:/opt/bin/:/opt/sbin/
iptables -t nat -F
iptables -t nat -A POSTROUTING -j MASQUERADE
ocserv -c /etc/ocserv/ocserv.conf

########################################################################################

Esempio veloce di reverse proxy con apache


###########
# EXAMPLE #
###########
#
# To define the URL /my-gateway/ as a gateway to an appserver with address
# http://some.app.intranet/ on a private network, after loading the
# modules and including this configuration file:
#
# ProxyRequests Off <-- this is an important security setting # ProxyPass /my-gateway/ http://some.app.intranet/ #
# ProxyPassReverse /
# ProxyHTMLEnable On
# ProxyHTMLURLMap http://some.app.intranet/ /my-gateway/
# ProxyHTMLURLMap / /my-gateway/
#

Provvedimento del garante sugli Amministratori di sistema

Premetto che la ritengo una gran cagata… e completamente inutile, visto che i log NON HANNO ALCUN VALORE PROBATORIO!

Ma visto che dobbiamo adeguarci… cerchiamo di farlo a COSTO ZERO!

Io ho risolto (sto risolvendo) così:

Installo rsyslog con logging su file sul logserver

Su un server linux CentOs 5.*

yum install rsyslog*
vim /etc/sysconfig/rsyslog
sostituisco
SYSLOGD_OPTIONS=”-m 0″
con
SYSLOGD_OPTIONS=”-m 0 -r”
vim /etc/rsyslog.conf
###################################################
$template DynAuth, “/var/log/TUTTI/%$MONTH%/%$DAY%/%FROMHOST%.log”
local1.*,user.*,auth.*,authpriv.*,kern.* ?DynAuth
$EscapeControlCharactersOnReceive off
%msg:::space-cc%
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 *
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
local3.*                                                /var/log/varie.log
###################################################

Abilitare il logging su tutti i server linux

Su un qualsiasi server linux

cat /etc/syslog.conf

auth.*;authpriv.*;local1.*          @logserver.dominio

Su ogni server devo poi creare utenti PERSONALI da assegnare a tutti gli AdS:
useradd -G wheel -m -s /bin/bash username
passwd username
Aggiungo
AllowUsers username
in /etc/ssh/sshd_config
lancio
visudo
e aggiungo o decommento la riga seguente:
%wheel  ALL=(ALL)       ALL
In questo modo gli AdS dovranno loggarsi con il loro account ed usare sudo
(consiglio il sudo -i o sudo -u per diventare root)
Il vantaggio dell’uso di sudo sta nel fatto che ho potuto cambiare password a root e metterla in cassaforte senza la necessità di comunicarla a tutti gli AdS (dato che sudo permette di diventare root inserendo la propria password)

Abilitare il logging su Oracle 9i

mkdir /var/log/oracle/
chown -R oracle:dba /var/log/oracle/
SHOW PARAMETER audit
ALTER SYSTEM SET audit_trail=OS SCOPE=SPFILE;
ALTER SYSTEM SET audit_sys_operations=TRUE SCOPE=SPFILE;
ALTER SYSTEM SET audit_file_dest=”/var/log/oracle” SCOPE=SPFILE;
AUDIT SESSION;
SHUTDOWN IMMEDIATE
startup
Occorre poi creare un cron sul logserver che filtra solo i login/logout e prelevi i risultati.
Nella ver 9i infatti non è possibile inviare i log a un remote syslog

Abilitare il logging su Postgres

Modifico
/usr/local/pgsql/data/postgresql.conf
come segue:

log_destination = ‘syslog’

syslog_facility = ‘LOCAL1’
syslog_ident = ‘postgres’
log_connections = true
log_disconnections = true
log_duration = true
log_hostname = true

Abilitare il logging su MySql

Dato che mysql non supporta la scrittura di log su syslog si può risolvere nel seguente modo:

Nel file
/etc/my.cnf

nella sezione
[mysqld]

aggiungo
log=/var/log/mysql.log

Poi lancio all’avvio il seguente comando:

tail -f /var/log/mysql.log | egrep ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql &

(ringrazio Stefano Coletta (http://www.mindcreations.com/) per la precisazione:

l’egrep va corredato dall’opzione –line-buffered altrimenti non funziona correttamente)

tail -f /var/log/mysql.log | egrep –line-buffered ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql &

e lo salvo nell’ rc.local

e lo metto anche nella sezione postrotate del logrotate in
/etc/logrotate.d/mysql-log-rotate

Altrimenti, come suggeritomi dal buon Alessandro Corbelli di www.web4web.it si possono usare le named pipe:

http://www.linuxjournal.com/article/2156

http://www.linuxjournal.com/content/using-named-pipes-fifos-bash

Non loggo tutto su file ma ho creato una named pipe ed in inittab ho inserito, in respawn, uno script così composto

while [ true ]; do
tail -f <namedpipe> | egrep ‘Connect|Quit’ | logger…
done

Le prestazioni sono ‘abbastanza’ decenti.
Il while sarebbe anche superfluo…

Occorre fare attenzione a un particolare:

Se si utilizza la named pipe con lo script in inittab, nello script NON deve esserci il tail, ma il cat.

Quindi lo script diventa:

while [ true ]; do
cat <namedpipe> | egrep ‘Connect|Quit’ | logger -p LOCAL1.info -t mysql
done


Abilitare il logging sui server Windows

Sui server windows

Ho usato snare:

SnareSetup-3.1.5-MultiArch.exe

http://www.intersectalliance.com/projects/SnareWindows/index.html

Come “Destination snare server address” ho messo lo stesso ip del log server e come porta la 514

Abilitare il logging su Exchange

Per abilitare il logging sel mailserver:

Gestore sistema Exchange -> Gruppi amministrativi -> <nome>  -> server -> NomeServer -> tasto dx sul server -> registrazione Diagnostica
-> MSExchangeIS -> private o cassetta postale -> Accessi = minima; Controllo accessi = minima (oppure logons=minima e access control = minima)

Poi su snare:
Creo un nuovo oggetto:
Identify the high level event = Any event(s)
Event ID Search Term = 1009,1016,1013,1029
General Search Term = *
Select the User Match Type = Include
User Search Term = *admin*
Identify the event types to be captured = Success Audit + Failure Audit
Identify the event logs = Security  + Application
Select the Alert Level = Critical

Abilitare il logging sul FileServer

Creo un nuovo oggetto:
Identify the high level event = Any event(s)
Event ID Search Term = 538,540,552,551,682,683,528
General Search Term = *
Select the User Match Type = Include
User Search Term = *admin*
Identify the event types to be captured = TUTTI
Identify the event logs = Security
Select the Alert Level = Critical

Immodificabilità dei log

Ogni notte, sul logserver, parte un cron che mi crea un md5 di tutti i file di log

Lo chiamo Z_calcola_md5.sh in modo che il cron lo chiama da ultimo DOPO il logrotate

cat /etc/cron.daily/Z_calcola_md5.sh

########################################
#!/bin/bash
TMP=`/bin/date –date=’1 days ago’ +%m/%d`
FILE_NAME=”MD5-`/bin/date –date=’1 days ago’ +%m-%d`.md5″
DEST_DIR01=”/var/log/TUTTI”
DEST_DIR=”$DEST_DIR01/$TMP/”
MD5_DIR=”/var/log/TUTTI/MD5/”
cd $MD5_DIR
find  $DEST_DIR  -type f -exec md5sum {} \;  > $FILE_NAME
#########################################

A questo punto posso creare un tar.gz e salvare i log su un dvd o effettuarne un backup