I am looking at rsyslog which is fast syslog system and Loganalyzer as an upfront web GUI for those logs. The Loganalyzer application offers searching of various syslogs, all of which is open source and available to download. In this guide I will go through the steps to get these two applications to work together and in the end of this tutorial we should have a working syslog system ready to take logs! The operating system I am using is the latest CentOS 6.5 minimal. Let’s get started.
Using VMware Workstation the first thing I have done is installed a minimal version of CentOS on the VM. The VM has 30GB on the disk with one processor and two cores with 2GB of RAM. (Which took about 10 minutes to install) Once the VM rebooted I login into the root account and ran the command yum update and accepted all the updates the operating system was able to find (Which took about 10 minutes) Let’s first added some housekeeping packages like wget and nano yum install wget nano .The minimal install does not include wget, or nano. Nano is a good text editor for people who don’t want to use VI 🙂 I have also disabled iptables (service iptables stop & chkconfig iptables off ) in this demo but this is not recommend in a production environment.
FIRST: Let’s install apache:
yum install httpd
Start the Service:
service httpd start
Let’s make sure the service automatically when the server reboots:
chkconfig httpd on
Let’s test to make sure you can get to the sample webpage, http://your-server-ip-address if it is working should look something like this.
yum install mysql mysql-server
After install is finished start it up:
service mysqld start
Like apache, let’s make sure this service starts when the server reboots:
chkconfig mysqld on
For security change the MySQL Admin password:
mysqladmin -u root password 'YourNewPassword'
Let’s Test MySQL, by logging into the database:
mysql -u root -p
Did you get something like below?
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.1.73 Source distribution Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql>
THRID: Install PHP,
yum install php php-mysql php-gd
Once finished installing create a phpinfo page.
Type the following and save the test.php
<?php phpinfo(); ?>
Restart the Apache Service
service httpd restart
Open up your browser and type http://your-server-ip-address/test.php You should get something like below.
FOURTH: Install Rsyslog,
A couple things first, CentOS uses an older version of rsyslog, so why not use the latest stable version of rsyslog.
wget http://rpms.adiscon.com/v8-stable/rsyslog.repo mv rsyslog.repo /etc/yum.repos.d/rsyslog.repo yum install rsyslog* --skip-broken
When the server reboots let’s start this service automatically.
chkconfig rsyslog on
Rsyslog has a createDB script in the following location: /usr/share/doc/rsyslog-mysql-8.2.1/createDB.sql, you can leave this alone or you can optionally change the database name. (Don’t be boring) In this example I changed it to rsyslogdb (… still a little boring)
nano /usr/share/doc/rsyslog-mysql-8.2.1/createDB.sql CREATE DATABASE rsyslogdb; USE rsyslogdb; CREATE TABLE SystemEvents [...]
Let’s create the rsyslogdb database:
mysql -u root -p < /usr/share/doc/rsyslog-mysql-8.2.1/createDB.sql
Should be able to access the database:
mysql -u root -p rsyslogdb
For security add a dedicated administrator called rsyslogdbadm for only this database with a password of what you want.
GRANT ALL ON rsyslogdb.* TO rsyslogdbadmin@localhost IDENTIFIED BY 'NewPasswordHere'; FLUSH PRIVILEGES; exit
Did it all work? Let’s test logging in and exit mysql.
mysql -u rsyslogdbadmin -p rsyslogdb
Uncomment the following modules in the rsyslog.conf (Located in /etc/rsyslog.conf) file and add the MySQL module line.
# Provides UDP syslog reception # for parameters see http://www.rsyslog.com/doc/imudp.html module(load="imudp") # needs to be done just once input(type="imudp" port="514") # Provides TCP syslog reception # for parameters see http://www.rsyslog.com/doc/imtcp.html module(load="imtcp") # needs to be done just once input(type="imtcp" port="514") # Load the MySQL Module module(load="ommysql")
You may also want to edit the Rules section to disable logging to the console, in this example I said log only syslogs that have a level of emergency to the console.
#### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. *.emerg* /dev/console
Also note that rsyslog logs everything it sees to a log folder by default as well. If you are using LogAnalyzer to view logs like in our example we are storing those logs in a MySQL database as well. Depending on how much logging you have you may either want to disable this and have LogAnalyzer do it all or setup a cron job to drop these once in a while.
# Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log
In the forwarding rule add the following, this tells rsyslog to send all syslogs to the MySQL database.
# ### begin forwarding rule ### # Let's forward all logs to the MySQL Database *.* :ommysql:127.0.0.1,rsyslogdb,rsyslogdbadmin,YourPassword …
Save and exit the configuration file and restart the Rsyslog service to load the new configuration.
service rsyslog restart
You should now have some logs in MySQL Database, check it by using the following:
mysql -u rsyslogdbadmin -p rsyslogdb mysql> select count(*) from SystemEvents; +----------+ | count(*) | +----------+ | 2 | +----------+
FIFTH: Download the LogAnalyzer web application,
Unpack the tarball:
tar zxvf loganalyzer-3.6.5.tar.gz
Copy the install files into Apache.
cp -r loganalyzer-3.6.5/src/ /var/www/html/loganalyzer cp -r loganalyzer-3.6.5/contrib/* /var/www/html/loganalyzer/
Let’s go into those folders:
Add some execution permission to these files:
chmod +x configure.sh secure.sh
Run the ./configure.sh, which will create a blank config.php file as well as set write access.
[root@localhost ]# ./configure.sh
To complete the install of LogAnalyzer we have to following the prompts on the web. Browse to http://your-server-ip-address/loganalyzer You should get an error page like below. Select the here link to start the install.
Select Next if the config.php file can be written.
In the Basic Configuration use the following image below to reference your installation.
The next page is to create tables in the MySQL database go ahead and select next.
The next page displays any errors if any SQL Results failed, select next if you don’t have any failed statements.
In step 6 we create a main user account to log into the LogAnalyzer web app.
In step 7, we create our source for syslog messages, follow the image below for a reference.
Looks like we are done the select the “here” link to go to the login page.
Some last things to check with LogAnalyzer is it does DNS lookups of IP address which can slow down the website if you have a lot of IPs in your logs. To disable that feature go to Admin Center ->Uncheck Resolve IP Addresses using DNS. I have personally pushed up to 500 syslog messages every 10 seconds thanks to the Kiwi Syslog Generator and did not see any performance hits other than the DNS issue. Hope this information is helpful, let me know if you have used LogAnalyzer in a production environment, are there any gotchas? I have just been testing it on my lab and so far so good.