Logging Mosquitto Server Logs (From Raspberry Pi) to Logentries

The Internet is evolving, and part of this is the emerging Internet of Things (IoT). IoT allows us to use the Internet to seamlessly connect the cyberspace and real world using physical sensors at huge scale, allowing us to gather and analyze the data across many domains. It is estimated that there will be 20 billion Things connected to the Internet by 2020, generating an enormous amount of data.

A previous blog post showed how easy it is to send logs from a Raspberry Pi to Logentries and to gather data from an attached sensor. This blog will build on that log to show how  to set up an MQTT system on a Raspberry Pi and send its logs to Logentries. MQTT is a widely used protocol to connect devices and was developed by Andy Stanford-Clark (IBM) and Arlen Nipper in 1999. It is designed to be bandwidth-efficient and use little battery power. It is based on a publish/subscribe approach that allows messages from devices to be sent (published) to interested (subscribed) services.
This blog will show easily the Logentries platform can be used to gather, store and visualize log data from MQTT devices. The resulting data exchange between Things does, however, introduce security concerns and machine management issues, so this blog will also show how to use data from the log to alert on possible MQTT security threats.

Our next blog will show how this MQTT broker can then be used with the OwnTracks app and Logentries.

Setting Up MQTT on Raspberry Pi Using Mosquitto

Mosquitto is a popular open source message broker that implements the MQTT protocol. It can be installed on the latest Raspberry Pi OS; Debian Wheezy, as well as Jessie. To use the new repository, you should first import the repository package signing key:

wget http://repo.mosquitto.org/debian/mosquitto-repo.gpg.key
sudo apt-key add mosquitto-repo.gpg.key

Then make the repository available to apt:

cd /etc/apt/sources.list.d/

Then get one of the following, depending on which version of Debian you are using:

sudo wget http://repo.mosquitto.org/debian/mosquitto-wheezy.list
sudo wget http://repo.mosquitto.org/debian/mosquitto-jessie.list

Then update and install from apt:

apt-get update
apt-get install mosquito

Additionally, you may want to install Mosquitto command-line clients with:

sudo apt-get install mosquitto-clients

You should have Mosquitto fully installed at this stage. Mosquitto server starts automatically, however, you can start it manually in its default configuration with:

sudo /etc/init.d/mosquitto start

Developers of Mosquitto have made an MQTT testing facility available on their website. In order to verify if your Mosquitto broker was correctly installed, you can open up test.mosquitto.org/gauge in the web browser and from Raspberry Pi terminal run:

mosquitto_pub -h test.mosquitto.org -t temp/random -m 23.0

This command will attempt to publish a message with payload “23.0” to topic “temp/random” at host “test.mosquitto.org” and the gauge should update its current value to 23 as shown below. We need to keep in mind that this testing facility is publicly available and may be used by many publishers simultaneously, hence values showing up may also be triggered by other users at the same time.

Integration With Logentries

So, let’s use Logentries to collect, store and analyze logs generated by the Mosquitto server we’ve set up.

Mosquitto generates a log file server which contains valuable information, such as connectivity status, publisher and subscriber details, devices and topics in use. In order to forward this data from the Raspberry Pi for further analysis with Logentries, we need to get a Logentries account and a token and then configure rsyslog server to send data to Logentries.This can be easily done by appending the following piece of code to the end of the rsyslog.conf file on the Pi:

$template Logentries,"<LOGENTRIES_TOKEN_HERE> %HOSTNAME% %syslogtag%%msg%\n"
*.* @@data.logentries.com:80;Logentries

$InputFileName /var/log/mosquitto/mosquitto.log
$InputFileTag Mosquitto
$InputFileStateFile Mosquitto-file1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFilePollInterval 10

Please, remember to replace the token placeholder in the above file with your Logentries token.

Now, login into your Logentries account and you will see logs from mosquitto.log, which are polled every 10 seconds per the configuration above. You can explore this data using the LEQL Query Language and REST API as an earlier blog showed.

MQTT Security

There are a couple of things you can do in order to maintain a good level of security in your MQTT based system:

1. Update to latest versions of software  to have the latest security fixes.

2. Use the TLS protocol for transport.

The Logentries platform and the Mosquiyto logs can help you to ensure that these two items are complied with. Since our Mosquitto logs are now being sent to Logentries, it is possible to create version aware alerts, e.g. the example below shows a label created in Logentries create to show versions and an alert can be created in Logentries to trigger whenever the mosquitto version reported is lower than 1.3.4.

 MQTT relies on TCP as its transport protocol, which means by default the connection does not use an encrypted communication. To encrypt the whole MQTT communication, most MQTT brokers use TLS instead of plain TCP. You should strongly consider using TLS, especially if you are using the username and password fields of the MQTT CONNECT packet for authentication and authorization. The “secure-mqtt” port 8883 is exclusively reserved for MQTT communication over TLS and should be used.

The port numbers used for connection are visible in Mosquitto logs, so you can filter all connections by port in order to expose potential threats. The screen below shows labels created in Logentries to indicate a non-secure  port may be in use and this can be extended to set up a Tag in Logentries matching a pattern in the logline to generate real-time alerts of these suspicious events, just like shown below:

Get Started with the Mosquitto Community Pack

In order to make the analysis of Mosquitto logs easier, we’ve developed a Mosquitto Community pack that can be installed from your Logentries dashboard. This Community Pack is equipped with alerts such as:

• New connection.
• Client connection establishment.
• Address assignment request.
• Port connection.

Additionally, this pack includes a series of timeline graphs and bar charts used to analyze historical data such as:

• Number of new connections.
• PUBLISH/SUBSCRIBE messages.
• PUBLISH/SUBSCRIBE messages grouped by device ID.
• PUBLISH/SUBSCRIBE messages grouped by topic name.

The following screenshot shows some graphs that resulted from applying the Community Pack.

The Mosquitto community pack can be downloaded from here.

Logentries makes it easy to collect all of you IoT data into one central location for visualization, analysis, and alerting.  Sign up for a free Logentries account to get started.