Install Centralized Log Server Using Rsyslog And LogAnalyzer

Install Centralized Log Server Using Rsyslog And LogAnalyzer

by -
0 1642

What is Rsyslog?

Rsyslog is an open source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IP network. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds important features such as using TCP for transport.

It will be very helpful for Linux administrators to view and troubleshoot errors if something went wrong. In this tutorial let us see how to install and configure Rsyslog and graphical front-end for rsyslog called LogAnalyser and also how to forward logs from the client systems to the Rsyslog server.

This article is created in two parts, In this page you will find setup of Rsyslog integration with MySQL database. In the next article helps you to install and integrate LogAnalyzer with this setup.

Prerequisites:-

Server must be built with packages of apache,mysql, php i.e. LAMP stack:-

# yum install php*,mysql*,httpd*
# service httpd start
# service mysqld start
# chkconfig httpd on

Now Install Rsyslog:-
# yum install rsyslog*

After installation make sure we restart the rsyslog daemon:-
# service rsyslog restart
# chkconfig rsyslog on
# chkconfig mysqld on

Make sure we install the complete packages of MySql and Rsyslog to ensure we have installed rsyslog-mysql package.
# vi /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

{Set the database as ‘syslogdb’ as database name}
CREATE DATABASE syslogdb;
USE syslogdb;
CREATE TABLE SystemEvents
(
……..
)

Now we will import the database tables in our Mysql server:-
# mysql -u root -p < /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

Now we will see whether our datbase is imported or not:-
[root@localhost ~]# mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.95 Source distribution
Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> show databases;
+——————–+
| Database |
+——————–+
| information_schema |
| mysql |
| syslogdb | ——>> Database is imported
| test |
+——————–+
4 rows in set (0.00 sec)
mysql> GRANT ALL ON syslogdb.* TO sysloguser@localhost IDENTIFIED BY ‘redhat’;
mysql> flush privileges;
mysql> exit;
bye

Edit rsylog configuratrion file:-

# vim /etc/rsyslog.conf
# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock
# Provides UDP syslog reception (Uncomment the below two lines)
$ModLoad imudp.so
$UDPServerRun 514
# Provides TCP syslog reception (Uncomment the below two lines)
$ModLoad imtcp.so
$InputTCPServerRun 514
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
$ModLoad ommysql

*.* :ommysql:127.0.0.1,syslogdb,sysloguser,redhat (Add this line with all details of mysql)

$AllowedSender UDP, 127.0.0.1, 192.168.0.0/24, 192.168.68.0/24
$AllowedSender TCP, 127.0.0.1, 192.168.0.0/24, 192.168.68.0/24
………
……….
:wq!
Wherein,
syslodb= database name
sysloguser=database user
redhat= user password
$AllowedSender= It will accepts logs from only the mentioned network IPs on both TCP and UDP.
Here we now come to an end of configuring Rsyslog server and we need to start with forntend of capturing logs i.e. Loganalyzer:-

Install Loganalyzer:-
Loganalyzer is GUI tool for managing Rsyslogs and other network data. It is easily manageable and helps in reporting realtime services.

Download Path:-
# wget http://download.adiscon.com/loganalyzer/loganalyzer-3.6.5.tar.gz

Extract the tar file:-
#tar -zxvf loganalyzer-3.6.5.tar.gz

Now we need to move the extracted packages to the document root of Apache:-
#mv loganalyzer-3.6.5/src/ /var/www/html/loganalyzer
#mv loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/

Now we need to set the file permissions to the below mentioned files and run the configure.sh script.
#cd /var/www/html/loganalyzer/
#chmod +x configure.sh secure.sh
#./configure.sh
After executing configure.sh script it will create a blank php file

Adding firewall rules:-
#iptables -A input -m state – -state NEW -m tcp -p tcp – -dport 514 -j ACCEPT
# service iptables restart

Now we access the Loganalyzer via browser using http://Ip-address/loganalyzer and can begin the configuration:-
Firstly it would display: Critical Error Occured

Click on the link that says: here

log Analyzer

2. Click Next:-

Log Anaylzer

3. Click Next:-

Log Analyzer3

  1. Now you gonna pay attention on adding the correct values:-

Click Yes on “Enable User Database” and entert correct Database name, Database User and User Password. Click Yes on Require user to be logged in.

log Analyzer4

5. Click Next to create rsyslogdb tables:-

Log analyzer5

6. Click Next:-

log analyzer6

7. Now we will create administrator user for Loganalyzer console, you can create any user of your name :-

log analyzer7

  1. Now you need to Select Source type as “MySQL Native” and enter the correct database name, database table name(Case Sensative),database username and password.

You can re-confirm the details from:-

# vim /usr/share/doc/rsyslog-mysql-3.22.1/createDB.sql

log analyzer8

After that Click Next
9. Now Click Finish to complete the installation.

log analyzer9

  1. Now enter your login credentials created earlier and you will get the dashboard.In case it shows “no syslog data” then do the following:

# /etc/init.d/rsyslog restart
# /etc/init.d/httpd restart
# /etc/init.d/mysqld restart
After starting above services you can start viewing syslog messages in “Show Events”

CLIENT CONFIGURATION:

First we need to install rsyslog package:-
# yum install rsyslog -y
Edit the configuration file :-
*.* @@ip-address of rsyslog server
:wq!

Re-start the Rsyslog services:-
# /etc/init.d/rsyslog restart
# chkconfig rsyslog on
Now you can see logs of your client in the Loganalyzer dashboard.

Download PDF

NO COMMENTS

Leave a Reply

Required Captcha *