Install librenms in CEntOS 7 with php 8.1, MariaDB 10.8
System: CEntOS 7
Applications:
Librenms
PHP 8.1
MariaDB 10.8
Loganalyzer
Rsyslog
Update the system
yum update -y
Install php 8.1
yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum -y install https://rpms.remirepo.net/enterprise/remi-release-7.rpm
yum -y install yum-utils
yum-config-manager --enable remi-php81
yum install php php-cli
yum install php php-cli php-fpm php-mysqlnd php-zip php-devel php-gd php-mcrypt php-mbstring php-curl php-xml php-pear php-bcmath php-json
Install Mariadb 10.8
curl -LsS -O https://downloads.mariadb.com/MariaDB/mariadb_repo_setup
sudo bash mariadb_repo_setup --mariadb-server-version=10.8
sudo yum install MariaDB-server MariaDB-client MariaDB-backup -y
rpm -qi MariaDB-server
sudo systemctl enable --now mariadb
systemctl status mariadb
mariadb –V
sudo mariadb-secure-installation
Install librenms
yum install git cronie fping jwhois ImageMagick mtr MySQL-python net-snmp net-snmp-utils nmap python-memcached rrdtool policycoreutils-python httpd mariadb mariadb-server unzip python3 python3-pip -y
yum install mod_php php-cli php-common php-curl php-gd php-mbstring php-process php-snmp php-xml php-zip php-memcached php-mysqlnd -y
useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms apache
cd /opt
git clone https://github.com/librenms/librenms.git
chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ /opt/librenms/cache
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/ /opt/librenms/cache
sudo yum install python3-devel -y
su – librenms
./scripts/composer_wrapper.php install --no-dev
exit
Create database
mysql -u root
CREATE DATABASE librenms CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'librenmspass';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
Exit
vi /etc/my.cnf
Within the [mysqld] section please add:
innodb_file_per_table=1
lower_case_table_names=0
systemctl restart mariadb
vi /etc/php.ini
date.timezone = Asia/Kathmandu
vi /etc/httpd/conf.d/librenms.conf
Add the following config, edit ServerName as required:
<VirtualHost *:80>
DocumentRoot /opt/librenms/html/
#ServerName librenms.example.com
AllowEncodedSlashes NoDecode
<Directory "/opt/librenms/html/">
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
</VirtualHost>
rm -f /etc/httpd/conf.d/welcome.conf
systemctl enable --now httpd
yum install policycoreutils-python
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/logs(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/logs(/.*)?'
restorecon -RFvv /opt/librenms/logs/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/rrd(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/rrd(/.*)?'
restorecon -RFvv /opt/librenms/rrd/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/storage(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/storage(/.*)?'
restorecon -RFvv /opt/librenms/storage/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/bootstrap/cache(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/bootstrap/cache(/.*)?'
restorecon -RFvv /opt/librenms/bootstrap/cache/
semanage fcontext -a -t httpd_sys_content_t '/opt/librenms/cache(/.*)?'
semanage fcontext -a -t httpd_sys_rw_content_t '/opt/librenms/cache(/.*)?'
restorecon -RFvv /var/www/opt/librenms/cache/
setsebool -P httpd_can_sendmail=1
vi /tmp/http_fping.tt
module http_fping 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };
cd /tmp
checkmodule -M -m -o http_fping.mod http_fping.tt
semodule_package -o http_fping.pp -m http_fping.mod
semodule -i http_fping.pp
firewall-cmd --zone public --add-service http
firewall-cmd --permanent --zone public --add-service http
firewall-cmd --zone public --add-service https
firewall-cmd --permanent --zone public --add-service https
cp /opt/librenms/snmpd.conf.example /etc/snmp/snmpd.conf
vi /etc/snmp/snmpd.conf
RANDOMSTRINGGOESHERE >> public
curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /usr/bin/distro
systemctl enable snmpd
systemctl restart snmpd
cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms
cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms
SETUP LOGANALYZER WITH RSYSLOG
yum install wget –y
yum install -y rsyslog-mysql
yum install rsyslog
service syslog stop
chkconfig syslog off
service rsyslog start
chkconfig rsyslog on
yum install vim –y
vim /etc/rsyslog.conf
and add following lines as the end of file.
$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuth
*.info,mail.none,authpriv.none,cron.none ?TmplMsg
Uncomment
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
service rsyslog restart
create user support@'%' identified by 'password';
grant all on *.* to support@'%' with grant option;
flush privileges;
mysql -u root -p < /usr/share/doc/rsyslog-8.24.0/mysql-createDB.sql
GRANT ALL ON Syslog.* TO 'rsyslog'@'localhost' IDENTIFIED BY 'loganalyzerpass';
cp /etc/rsyslog.conf /etc/rsyslog.conf.org
# ### end of the forwarding rule ###
$template TmplAuth, "/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
authpriv.* ?TmplAuth
*.info,mail.none,authpriv.none,cron.none ?TmplMsg
# Load the MySQL Module
module(load="ommysql")
# #*.* :ommysql:127.0.0.1,Syslog_Database,syslog_user,password
*.* :ommysql:127.0.0.1,Syslog,rsyslog,loganalyzerpass
systemctl restart rsyslog
Install LogAnalyzer
wget https://download.adiscon.com/loganalyzer/loganalyzer-4.1.13.tar.gz
tar -xzvf loganalyzer-4.1.13.tar.gz
mkdir /var/www/html/loganalyzer
cp -r /tmp/loganalyzer-4.1.13/src/* /var/www/html/loganalyzer/
cp -r /tmp/loganalyzer-4.1.13/contrib/* /var/www/html/loganalyzer
cp -r /tmp/loganalyzer-4.1.13/contrib/* /var/www/html/loganalyzer
cd /var/www/html/loganalyzer
touch config.php
chown apache:apache config.php
chmod 777 config.php
chcon -h -t httpd_sys_script_rw_t /var/www/html/loganalyzer/config.php
vi /etc/httpd/conf.d/librenms.conf
Alias /loganalyzer "/var/www/html/loganalyzer"
service httpd restart
Error
Database name: Syslog
admin/password
Error
[Thu Mar 23 06:12:14.841355 2023] [php:error] [pid 68981] [client 192.168.220.1:50376] PHP Fatal error: Uncaught mysqli_sql_exception: Unknown column 'processid' in 'field list' in /var/www/html/loganalyzer/classes/logstreamdb.class.php:1682\nStack trace:\n#0 /var/www/html/loganalyzer/classes/logstreamdb.class.php(1682): mysqli_query()\n#1 /var/www/html/loganalyzer/classes/logstreamdb.class.php(1624): LogStreamDB->CreateMainSQLQuery()\n#2 /var/www/html/loganalyzer/classes/logstreamdb.class.php(545): LogStreamDB->ReadNextRecordsFromDB()\n#3 /var/www/html/loganalyzer/index.php(270): LogStreamDB->ReadNext()\n#4 {main}\n thrown in /var/www/html/loganalyzer/classes/logstreamdb.class.php on line 1682, referer:
https://github.com/rsyslog/loganalyzer/issues/75
mysql -u root -p
USE Syslog;
ALTER TABLE SystemEvents
ADD COLUMN checksum INT NOT NULL;
ALTER TABLE SystemEvents
ADD COLUMN processid VARCHAR(60) NOT NULL;
exit
Harden the Apache Web Server on CentOS 7
Hide the Apache version
update httpd.conf on /etc/httpd/conf/httpd.conf
ServerSignature Off
ServerTokens Prod
Turn off directory listing
Hide the php version
Php.ini
expose_php = Off
Allow services in firewalld
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --zone=public --add-service=mysql --permanent
sudo firewall-cmd --zone=public --add-port=3306/tcp --permanent